FIX: "HTTP error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message if the Basic authentication Default Domain property is set to a backward slash character (\) in IIS (827991)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0

SYMPTOMS

When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you may be prompted multiple times for a user name and a password. After you enter the correct user credentials, you may receive the following error message:
You are not authorized to view this page
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

CAUSE

This problem may occur if the Default Domain property for Basic authentication is set to a backward slash character (\). In earlier versions of IIS, you could set the Default Domain property to a backward slash character (\) to allow the Web server to validate the logon credentials of a user against all trusting domains. However when you set the Default Domain property to a backward slash character (\) on a computer that is running Windows Server 2003, IIS will no longer allow the search for user credentials in all trusted domains.

RESOLUTION

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
Date         Time   Version       Size     File name
----------------------------------------------------------  
                   
14-Jun-2004  18:02  6.0.3790.109  337,408  w3core.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Basic authentication requires that you enter a domain name together with a user name. Therefore, an administrator may want to set the Default Domain property for Basic authentication to the most common domain that is used. This allows users in that domain to type only a user name and a password. After this, the default domain is used. This behavior will still work in IIS 6.0.

However, if users can use more than one domain, you could configure earlier versions of IIS so that the Default Domain property contained a backward slash character (\). The backward slash character (\) indicated that IIS should search all trusted domains for that user name.

However, in IIS 6.0 that behavior has changed and using the backward slash character (\) no longer works in this way. Users must type the domain name together with the user name by using the following format:

<domain name>\username.

In Exchange Server 2003, Forms-based authentication automatically sets the default domain for Basic authentication on the Exchange virtual directory in Exchange System Manager to a backslash character (\). This restriction is designed to support user logons that use the UPN format. If you modify the default domain setting in IIS to anything other than the default domain setting of "\", Exchange System Manager resets the default domain setting to "\" on the server. This change requires users to enter the domain, the username, and the password to log on to Outlook Web Access. After you apply this hotfix, users only have to enter the username and the password to log on to Outlook Web Access when you use Forms-based authentication.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

168908 How to authenticate a user against all trusted domains

Modification Type:MinorLast Reviewed:10/25/2005
Keywords:kbHotfixServer kbQFE kbprb kbinfo KB827991 kbAudEndUser kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.