Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name (294382)


The information in this article applies to:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 6.0
This article was previously published under Q294382

SYMPTOMS

When you are using Internet Explorer on a Windows 2000 or later client and browsing to a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with an HTTP error 401.1, error 401.2, or error 401.3.

Note Internet Explorer clients that are using Windows NT 4 or Windows 95 or Windows 98 will not fail. Also, other authentication schemes will work.

Microsoft ASP.NET users may see an error message that is similar to the following:

Server Error in '<application name>' Application.

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

CAUSE

During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. If the host header (Web site name) being requested differs from the NetBIOS name of the IIS 5.0 computer, Kerberos authentication will fail, causing 401.3 errors on the client.

Clients using Windows NT 4 or Windows 95 or Windows 98 succeed because they do not natively support Kerberos and thus use Windows NT Challenge/Response (NTLM) authentication.

WORKAROUND

  • If you are using Kerberos:

    Use the SetSPN.exe utility, from the Windows 2000 Resource Kit, to register any host header names of Web sites that are configured to use "Integrated" authentication and will be accessed from Windows 2000 clients. For example:

    Server name: webserver1.development.exair.com
    Host header: www.exair.com

    Use the SetSPN command to register the www.exair.com SPN:

    SetSPN -A HTTP/www.exair.com webserver1

    NOTE: HOST is a default service type that can be used if HTTP is not working in the registered SPN. As an example, you can use the following command to register the www.exair.com SPN to a default service type:

    SetSPN -A HOST/www.exair.com webserver1

  • If you are not using Kerberos:

    Remove Kerberos from the list of authentication providers in Internet Information Services 5.0 by using the following command:

    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

NOTE: Adsutil.vbs must be run by a member of the local Admins group on the Internet Information Services computer.

MORE INFORMATION

A fresh install of Internet Information Services 5.0 with Integrated Authentication enabled will attempt to authenticate clients with Kerberos first. If a client does not support Kerberos, IIS will send that client an "Authenticate: NTLM" header, forcing it to authenticate using Windows NT Challenge/Response.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

217098 Basic overview of Kerberos authentication in Windows 2000

266080 Answers to frequently asked Kerberos questions

215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

248350 Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0

Modification Type:MinorLast Reviewed:4/26/2006
Keywords:kbpending kbprb KB294382 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.