Window Server 2008 IIS 7: 401 Unauthorized with NTLM after kerberos have been setup

In Window Server 2008, you don’t have the option to switch the provider like in Window Server 2008 r2.

So by default, if there are kerberos setup on the server, it will try to authenticate with kerberos first then NTLM even you have windows authentication enabled.

If you want to get this resolve, you will need to remove theĀ Negotiate provider from the site you are hosting in order to get windows authentication working.

So you need to execute the following commands to remove the provider from IIS on a specific site:

The following code examples will enable Windows authentication and remove the Negotiate provider for a site named “SiteName”

appcmd.exe set config “SiteName” -section:system.webServer/security/authentication/windowsAuthentication /enabled:”True” /commit:apphost

appcmd.exe set config “SiteName” -section:system.webServer/security/authentication/windowsAuthentication /-“providers.[value=’Negotiate’]” /commit:apphost

* appcmd.exe is located atĀ %systemroot%\system32\inetsrv\

Reference

http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe#HowToUse

http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/providers