Window Server 2008 IIS 7: 401 Unauthorized with NTLM after kerberos have been setup

In Window Server 2008, you don’t have the option to switch the provider like in Window Server 2008 r2.

So by default, if there are kerberos setup on the server, it will try to authenticate with kerberos first then NTLM even you have windows authentication enabled.

If you want to get this resolve, you will need to remove the Negotiate provider from the site you are hosting in order to get windows authentication working.

So you need to execute the following commands to remove the provider from IIS on a specific site:

The following code examples will enable Windows authentication and remove the Negotiate provider for a site named “SiteName”

appcmd.exe set config “SiteName” -section:system.webServer/security/authentication/windowsAuthentication /enabled:”True” /commit:apphost

appcmd.exe set config “SiteName” -section:system.webServer/security/authentication/windowsAuthentication /-“providers.[value=’Negotiate’]” /commit:apphost

* appcmd.exe is located at %systemroot%\system32\inetsrv\



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s