Saturday, March 26, 2011

IIS and setting NTAuthenticationProviders and authNTLM

More than once now I've run into situations with the NTLM configuration in IIS where it seems that the GUI setting doesn't do all you need it to to properly configure integrated windows authentication for a web site. Earlier this week I was asked to look into a situation for a particular project team where Firefox wasn't prompting them to enter a username/password in one environment (they'd just get an http 401.2 error), and yet it was giving them the prompt in another environment.  (IE was running fine in both environments, by the way).

I went through all the IIS GUI configs in IIS and the two boxes looked identical.  Since this appeared to be an issue with integrated authentication, I ran this script:

cscript c:\inetpub\Adminscripts\adsutil.vbs GET W3SVC/WEB_SITE_Number/ROOT/NTAuthenticationProviders

which showed me that the working server had nothing set (wasn't set), while the server that was giving them problems returned with 'Negotiate,NTLM.'  I subsequently set NTAuthenticationProviders to '' and it worked by using 'set' instead of 'get' in the above script and providing an empty parameter.

Note:  I understand the above setting to be different than the one below.  In more than one instance at work I've had this issue and proven that this is the case.  The script below, from my understanding, the same as the Windows Integrated Authentication checkbox on the Directory Security tab in IIS.

cscript c:\inetpub\adminscripts\adsutil.vbs SET W3SVC/WEB_SITE_Number/ROOT/vDir_Name/authNTLM TRUE

1 comment:

Steve Boyko said...

After about 45 minutes of searching, I finally found your site and found the answer to how to change the Providers order on IIS 7 where the GUI doesn't provide the option. Thank you so much!