Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool

You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool

Symptoms

When you try to access a Microsoft Internet Information Services (IIS) 6.0 Web site that is configured to use Integrated Windows authentication only, you are prompted for your user credentials. When you try to log on, you receive the logon prompt again. After you try to log on three times, you receive the following error message:
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

↑ Back to the top

Cause

This behavior may occur if the following conditions are true:
  • The IIS 6.0 Web site is part of an IIS application pool.
  • The application pool is running under a local account or under a domain user account.
  • The Web site is configured to use Integrated Windows authentication only.
In this scenario, when Integrated Windows authentication tries to use Kerberos, Kerberos authentication may not work. To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under. By default, Active Directory registers the network basic input/output system (NetBIOS) computer name. Active Directory also permits the Network Service or the Local System account to use Kerberos.

↑ Back to the top

Resolution

If this behavior occurs when the application pool is running under a local account, follow the steps in the "Workaround" section.

To resolve this behavior when the application pool is running under a domain user account, set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. To do this, follow these steps on a domain controller:

Important An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.
  1. Install the Setspn.exe tool. To obtain the Setspn.exe tool for Microsoft Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
    970536 Setspn.exe support tool update for Windows Server 2003

  2. Start a command prompt, and then change to the directory where you installed Setspn.exe.
  3. At the command prompt, type the following commands. Press ENTER after each command:
    setspn.exe -S http/IIS_computer's_NetBIOS_name DomainName\UserName

    setspn.exe -S http/IIS_computer's_FQDN DomainName\UserName
    Note UserName is the user account that the application pool is running under. Also note that if you are running the setspn.exe command on a Windows 2000 machine, use the -A switch instead of the -S switch.
After you set the SPN for the HTTP service to the domain user account that the application pool is running under, you can successfully connect to the Web site without being prompted for your user credentials.

↑ Back to the top

Workaround

To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:
  1. Start a command prompt.
  2. Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
  3. Type the following command, and then press ENTER:
    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
  4. To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:
    cscript adsutil.vbs get w3svc/NTAuthenticationProviders
    The following text should be returned:
    NTAuthenticationProviders       : (STRING) "NTLM"

↑ Back to the top

Status

This behavior is by design.

↑ Back to the top

More Information

If you set the SPN by using only the FQDN of the server that is running IIS, you will be prompted for your user credentials after 30 minutes. The 30-minute time-out occurs because of the way that Internet Explorer caches Domain Name System (DNS) information. After 30 minutes, Internet Explorer reverts to the NetBIOS name. Therefore, you must make sure that you also register the SPN by using the NetBIOS name of the server that is running IIS to avoid being prompted for your user credentials.For more information, click the following article number to view the article in the Microsoft Knowledge Base:

263558 How Internet Explorer uses the cache for DNS host entries

To verify the registered SPNs for the user account that your application pool is running under, start a command prompt, type the following command from the directory where Setspn.exe is installed, and then press ENTER:
setspn.exe -l UserName
A list of the registered SPNs for the user account is returned.

Internet Information Services (IIS) 7.0

The topics discussed in this article can also apply to IIS 7.0 if one of the following conditions is true:
  • Kernel Mode Authentication is disabled.
  • Kernel Mode Authentication is enabled, and the useAppPoolCredentials attribute is set to TRUE.

↑ Back to the top

References

For additional information about using Integrated Windows authentication with IIS application pools, visit the following Microsoft Web site:
Integrated Windows Authentication (IIS 6.0)
For additional information about authentication failures or access control failures in IIS, visit the following Microsoft Web site:
Authentication and Access Control Diagnostics Version 1.0 (IIS 6.0)
Note The AuthDiag tool is designed to help you when you see either of the following error messages:
  • 401.1 logon failed
  • 401.3 ACL
The AuthDiag tool can also help you when you experience Kerberos problems.

↑ Back to the top

Keywords: kbiis2007swept, kbentirenet, kbtshoot, kbprb, kb

↑ Back to the top

Article Info
Article ID : 871179
Revision : 3
Created on : 3/30/2017
Published on : 3/30/2017
Exists online : False
Views : 3457