DOCUMENT:Q248350 20-FEB-2000 [iis] TITLE :Kerberos Authentication Fails after Upgrading from IIS 4.0 to II PRODUCT :Internet Information Server PROD/VER:winnt:5.0 OPER/SYS: KEYWORDS:kbOSWin2000 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that can be restored if a problem occurs. For information about how to do this, view the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC). SYMPTOMS ======== When you upgrade a computer running Windows NT Server 4.0 with Internet Information Server 4.0 installed to Windows 2000 with Internet Information Services 5.0, Kerberos authentication may fail. The Negotiate method may not be used by the Web server even though Windows Integrated authentication is selected. When you do a network trace (from the client) using Network Monitor, you will usually see the following in the WWW-Authenticate header sent to the client: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM When you upgrade from Windows NT 4.0 to Windows 2000, you may only see the NTLM WWW-Authenticate header sent to the client (Negotiate is not sent to the client). For example: WWW-Authenticate: NTLM CAUSE ===== In order to preserve the default authentication method used in Internet Information Server 4.0, the metabase setting for NTAuthenticationProviders was not changed. The default for this metabase key is "NTLM" in Internet Information Server 4.0; however, this has been changed in Internet Information Services 5.0 so that the new Negotiate method can use "Negotiate,NTLM." If you do a clean installation of Windows 2000 (as opposed to an upgrade), the key will reflect the default in Internet Information Services 5.0 as "Negotiate,NTLM." RESOLUTION ========== To resolve this problem, you must edit the metabase. WARNING: Editing the metabase incorrectly can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems resulting from incorrectly editing the metabase can be solved. Edit the metabase at your own risk. NOTE: You should always back up the metabase before you edit it. To change the value of NTAuthenticationProviders, perform the following steps: 1. Open a command prompt (Cmd.exe). 2. Change the directory to c:\inetpub\adminscripts. Note that this path is the default path and may be different from yours if you changed the content area or installed to a different drive letter. 3. To determine the value of NTAuthenticationProviders, type the following, and then press the ENTER key: cscript adsutil.vbs get w3svc/NTAuthenticationProviders The following output should return: NTAuthenticationProviders : (STRING) "NTLM" 4. If the value of NTAuthenticationProviders is "NTLM," then type the following (exactly): cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM" Press the ENTER key. You should receive the following output: NTAuthenticationProviders : (STRING) "Negotiate,NTLM" If you receive an error on the last step, make sure that you did not leave a space between Negotiate and NTLM. For example, "Negotiate,NTLM" is not the same as "Negotiate, NTLM." STATUS ====== Microsoft has confirmed this to be a problem in Microsoft Internet Information Services version 5.0. Additional query words: iis 5 NTLM Negotiate Kerberos Upgrade ====================================================================== Keywords : kbOSWin2000 Technology : kbiisSearch kbiis500 Version : winnt:5.0 Issue type : kbbug Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.