Share via

IIS 6.0 and Integrated Auth not working anymore

Marco Paglioni 26 Reputation points
2023-01-09T20:32:55.877+00:00

Hi everyone
i have an old installation of win2003 with iis 6 and reporting services 2005, giving out some reports do domain users with Edge in IE mode
Since yesterday, almost all users are getting an error accessing RS pages, that, in turn, is an 401 error in IIS logs.
IF i remove Integrated Authentication and activate BAsic Auth, users gets login page, and using their AD credentials are able to get the reports.

If i re-enable Integrated Auth, they get errors again. The exact error is 402.3 ,but i dont know why all stopped working suddendly.

if i try with Chrome or Firefox and both Integrated and Basic auth, i do get the user/pass prompt, obviously because the Inegrated one is skipped.
But with Edge, it's not skipped, and goes to 401.3

no folder/file ACL changed

Right now i have to keep Basic Auth enabled to let users get the reports, but i need to go back to Integrated one.

Internet Information Services
SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,836 questions
0 comments
Accepted answer
  1. Yurong Dai-MSFT 2,806 Reputation points Microsoft Vendor
    2023-01-10T05:54:52.397+00:00

    Hi @Marco Paglioni ,

    When logging in using integrated authentication in Internet Explorer or Edge, the password is not accepted and after a few attempts, the error message 401 Unauthorized appears.

    This is a known issue due to enabling the NEGOTIATE protocol for Windows Integrated Authentication It happens when trying to access with a computer that's either not connected to the same Windows domain as the servers running OutSystems or a computer with intermittent connectivity to said domain.

    The NEGOTIATE protocol uses Kerberos tickets for authentication. This requires that all involved computers be able to communicate with the Windows domain controller. In cases where such communication is not possible, the NEGOTIATE protocol cannot be used.

    By default, Internet Explorer and Microsoft Edge prefer NEGOTIATE over NTLM for Windows Integrated Authentication; this means that IIS activity with the NEGOTIATE protocol causes this misbehavior.

    Other browsers (Chrome, Safari, Firefox) usually don't have NEGOTIATE activated, so they default to NTLM - which causes authentication to work.

    Confirm the cause

    Disable NEGOTIATE protocol in the client workstation to confirm the issue is the one described.

    1. Open the Registry Editor (start - run - regedit.exe)
    2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    3. Locate the registry entry EnableNegotiate
    4. Change the value to 0
    5. Restart the client workstation.

    After performing the steps above, authentication should start working in Internet Explorer / Microsoft Edge in the client workstation where the change was performed.

    Solution: disable the NEGOTIATE protocol in IIS

    In sporadic situations, or to confirm the problem, you may want to disable NEGOTIATE in the client workstation.**

    1. Access IIS Manager;
    2. Expand <server> Sites Default Web Site;
    3. In the IIS group, choose Authentication;
    4. Click Windows Authentication. On the side bar, option Providers shows up; if not, first activate Windows Authentication so it does show up;
    5. Remove NEGOTIATE provider.
    6. If you added Windows Authentication on step 4, deactivate it again;
    7. Do an IISReset

    After performing the steps above, authentication should start working in Internet Explorer / Microsoft Edge.

    The above content comes from public document. In order to prevent the content of document links from becoming invalid, I extracted some content. For more detailed information, please refer to this link. I hope this helps you.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

    Best regards, Yurong Dai

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marco Paglioni 26 Reputation points
    2023-01-10T11:01:04.497+00:00

    The client workstation test is successful. You pinpointed the problem.

    But the server is windows 2003 with IIS 6.0 The guide you posted, and all guides i can find on internet, are for IIS 7+

    I can't find how to disable the NEGOTIATE in IIS 6, that is way different from 7 and later ones.

    If there is no way, i have to make a group policy to disable the NEGOTIATION client side, but i prefer to do it on ISS, if i find how.

  2. Sebastian Cerazy 306 Reputation points
    2023-03-02T12:01:49.0766667+00:00

    But why NEGOTIATE is giving 401 from domain joined machine?

    I have this error accessing MSAD CA web interface from any domain joined machine with domain admin credentials (so everything communicates just fine on local network)

    Without NTLM, both IE & Edge will not login (while Chrome does OK)

    0 comments
  3. Sebastian Cerazy 306 Reputation points
    2023-03-02T12:03:03.4+00:00

    < deleted >

    0 comments
  4. Travis Sheppard 0 Reputation points
    2023-03-03T03:01:08.98+00:00

    https://support.unicomsi.com/manuals/systemarchitect/11482/starthelp.html#page/Installing/InstallingSysArchXT.2.22.html

    This link was able to instruct how to force NTLM auth and disable negotiate. This got our site back up and running with Integrated Windows Auth in IIS 6.0

    0 comments