On this week I had a strange problem when working with Asp.Net site on IIS 6.0, Win 2003.
I defined an application pool to run under domain user account and Web site is configured to use Integrated Windows authentication only.
Just for the record the I gave the domain account administrators permissions on the server.
I tried to consume the web site with the same user from the server but get the following error :
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
I managed to workaround this issue by setting the web site to work with digest authentication.
Please consider the security issues before doing it, I worked on a test environment on the organization intranet.
Another issue was when I tried to consume the web site from different pc with other domain account which was defined as a member of the user group on the server.
I get the user/password dialog box.
I manage to fix the problem by this Microsoft KB article http://support.microsoft.com/kb/871179/
Because I worked on a test environment and need a fast solution I went on the workaround section and It do the job.
To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:
|1.||Start a command prompt.|
|2.||Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.|
|3.||Type the following command, and then press ENTER: |
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
|4.||To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER: |
cscript adsutil.vbs get w3svc/NTAuthenticationProvidersThe following text should be returned:
NTAuthenticationProviders : (STRING) "NTLM"