How to Ensure Windows Integrated Logons in Internet Information Services 5.0

• Microsoft Internet Information Services version 5.0

SUMMARY

Internet Information Services (IIS) 5.0 handles user logons differently than previous versions of IIS. With the new Windows 2000 security, IIS now supports Kerberos authentication using Negotiate headers.

When a user logs on, if Integrated Windows Authentication has been selected in the Internet Service Manager, a browser will be passed a Negotiate header from the server. allowing a decision to be made on whether to use Kerberos authentication or Windows Integrated authentication (formerly called NTLM, or NT Challenge/Response). NOTE: At the time of this writing, only Internet Explorer 5.0 supports this process.


You may decide to skip the negotiation process and use only Windows Integrated authentication. To do this, perform following steps (you must have the Windows Script Host installed for this to work properly):

1. Open a command prompt and navigate to the Inetpub\AdminScripts directory.



2. Type the following command: "adsutil get w3svc\NTAuthenticationProviders" (without the quotation marks). If you receive an error message, try: "cscript adsutil.vbs get w3svc\NTAuthenticationProviders" (without the quotation marks).



3. The value of this property should be "Negotiate, NTLM." This means that a Negotiate packet will be sent to the browser first and if it fails, Windows Integrated authentication (NTLM) will be used.



4. To ensure that only Windows Integrated authentication is used, type one of the following commands:
   

   adsutil set w3svc\NTAuthenticationProviders "NTLM"
   
   -OR-
   
   cscript adsutil.vbs set w3svc\NTAuthenticationProviders "NTLM"

   Note: Be sure to use the quotation marks around the word NTLM.

Additional query words: adsutil Kerberos

Keywords :
Version : winnt:5.0
Platform : winnt
Issue type : kbhowto