Thursday, April 19, 2007

How to Disable Kerberos on Windows 2003 using NTAuthenticationProviders

If your IIS website / service
  • Is running as an account other than NetworkService
  • or isn't being accessed via the server's AD name (eg through an alternate URL, or load balanced alias)
...then Kerberos authentication will fail, because the client doesn't know who the server is to start the ticket exchange process.

In both cases getting the right SPN added into AD will fix things, but sometimes this can be problematic. However you can explicitly downgrade the virtual directory to only use NTLM authentication by setting the NTAuthenticationProviders property. There's no UI for this, so you have to set it on your IIsWebVirtualDir in the metabase, eg (for IIS 6 \ Windows 2003):

cscript C:\inetpub\adminscripts\adsutil.vbs //nologo SET W3SVC/1/Root/MyApp/NTAuthenticationProviders NTLM

Then everything (?) works again. Hooray.

This is discussed at the very bottom of this article: http://support.microsoft.com/kb/215383
NB: For Windows 2000 you can only set this at a site-level, not an application level, as the article outlines.
Posted by at
Labels:

1 comment:

piers7 said...

If you want to fix this 'properly' with SetSPN, here's a good overview:


How to use SPNs when you configure Web applications that are hosted on IIS 6.0

20:14

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • ThreadStatic, CallContext and HttpContext in ASP.Net
    Summary: Even if you think you know what you're doing, it is not safe to store anything in a ThreadStatic member, CallContext or Thread...
  • 3 PowerShell Array Gotchas
    I love PowerShell, and use it for pretty much everything that I’m not forced to compile. As a result I’ve got fairly competent, and people h...
  • 64 Bit Explained
    Look, it’s really not that hard. Programs are still in the same place, in %ProgramFiles%, unless you need the 32 bit version, which is in...