DOCUMENT:Q165995 29-APR-1999 [iis] TITLE :Valid User Fails to Authenticate with NT Challenge/Response PRODUCT :Internet Information Server PROD/VER:Winnt:2.0,3.0 OPER/SYS: KEYWORDS:kberrmsg ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server versions 2.0, 3.0 ------------------------------------------------------------------------------- SYMPTOMS ======== If you have set IIS to use the Microsoft Windows NT Challenge/Response (NTCR), a valid user may not be able to successfully logon to IIS and will be prompted three times for his or her username and password. Then the user will get the following error message: Access is denied. CAUSE ===== By design, Windows NT Challenge/Response is supposed to pass the user's credentials to IIS and then be validated by the IIS server. If the user has been granted permission, the page will be accessed. If the user has NOT been granted permission, IIS will return the above error message. It should NOT return an authentication box. However, this may occur when the client is on the same subnet as the IIS server. When IIS challenges the client, the client thinks it should have access even if IIS is set to NTCR, and it pops up an authentication box. The credentials will show the following: Resource: Username: Password: NOTE: The resource will be blank because NTCR failed. With Basic authentication type enabled, you would see the resource that you are trying to access. If you try and put in any credentials that are valid, it will fail except for the administrator/administrators of that IIS server. WORKAROUND ========== To successfully be authenticated all the time, set the authentication type to Basic in Internet Service Manager, WWW properties. As a result, the client will be able to retrieve the correct resource no matter where it resides, and if the user is valid with Logon Locally Rights, he or she will gain access to the IIS server. ====================================================================== Keywords : kberrmsg Technology : kbiisSearch kbiis300 kbiis200 Version : Winnt:2.0,3.0 Hardware : ALPHA x86 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1999.