Pages

Monday, 3 October 2011

Windows authentication fail in IIS 7

Windows Authentication fails from client machines via hostname/ FQDN or ip address but works on localhost (where the application is published)

Windows authentication supports two authentication protocols, Kerberos and NTLM, which are defined in the <providers> element. When you install and enable Windows authentication on IIS 7, the default protocol is Kerberos. The <windowsAuthentication> element can also contain a useKernelMode attribute that configures whether to use the kernel mode authentication feature that is new to Windows Server 2008.

Windows authentication is best suited for an intranet environment for the following reasons:
 •Client computers and Web servers are in the same domain.
 •Administrators can make sure that every client browser is Internet Explorer 2.0 or later.
 •HTTP proxy connections, which are not supported by NTLM, are not required.
 •Kerberos version 5 requires a connection to Active Directory, which is not feasible in an Internet environment.


The following default <windowsAuthentication> element is configured at the root ApplicationHost.config file in IIS 7.0, and disables Windows authentication by default. It also defines the two Windows authentication providers for IIS 7.0.

<windowsAuthentication enabled="false">
   <providers>
      <add value="Negotiate" />
      <add value="NTLM" />
   </providers>
</windowsAuthentication>


by default for SharePoint - 80  environment only NTLM is required.



No comments:

Post a Comment