401 - Unauthorized in IE7 only with windows authentication.

Asked 25/8, 2011 at 10:43 Answered 1/11, 2012 at 14:17

iis active-directory internet-explorer-7 windows-authentication http-status-code-401

I've created an intranet site that uses windows authentication

In chrome I can access the site instantly, and in FF it requires Active Directory login. But with IE7 I'm getting the following error:

401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.

Im unsure as to why its okay in other browsers but not IE? Any help appreciated.

Thanks

Lungwort answered 25/8, 2011 at 10:43 Comment(3)

Do you verified in "Advanced" settings of IE that "Enable Integrated Windows Authentication" is set? Do you verified in which zone are your web size in the IE7? You can see it at the bottom. You can reset the current IE zones settings. Is it the problem only on one computer or on all/many computers from you network? – Ham 3/9, 2011 at 20:33

Possible solution is described here #7337554 – Brotherhood 18/5, 2012 at 10:41

Raklos: please can you accept @aditya's answer as correct if it resolved your issue (or any other answer if those helped). – Davisson 24/8, 2015 at 11:13

Solution:

IE is using Kerberos and not falling back on NTLM like Chrome and Firefox. You must force NTLM authentication in IIS7.5 by following these steps:

Select your site.
Double click authentication.
Select "Windows Authentication" (ensuring that it is enabled).
Click "Providers..." in the right hand column.
Select NTLM and click "Move Up".

Link: windows authentication not working in ie7

Oarsman answered 1/11, 2012 at 14:17 Comment(0)

I'm not familiar with IIS, but in the past few weeks I've had lots of hand-on experience in integrating AD login into web applications. As is quite logical - every Microsoft product would be better integrated with another such, and Internet Explorer (should be valid for all versions, not just 7) automatically passes your AD login credentials as long as you use Active Directory for your Windows login authentication method.

Every other browser will either need to be configured to do so, ask you to type them in manually or will not support it at all. Which explains why Firefox asks you for a username and a password. Under Opera, you'll most likely get the same error message.

My guess about Chrome is that it's your default browser of choice and at some point in time, you've typed in your login creditenials and that session is still active.

All of this would mean (if my assumptions are correct) that you need to use a different AD account to login into this application than Windows and the latter (being automatically passed by IE) is not authorized.

Leis answered 2/9, 2011 at 21:35 Comment(2)

ive asked another user to login and they face the same issues. ie7 does not work for them too, (other browsers do). I didn't understand your last sentence. – Lungwort 3/9, 2011 at 18:59

Do IE8 or IE9 work? What I say in my last sentence is that basically IE will automatically pass to the web server whatever username you use to login into Windows, but that username is not the same you want to use for your web application. – Leis 3/9, 2011 at 19:5

start off by looking here and getting a more detailed error description. I had some crazy problems with CRM and it all came down to the order of settings in IIS the answer to the problem ended up being as simple as ; going into iis and then the authentication setting clicking on windows authentication and selecting advanced make sure kernel mode is on click on providers and ensure negotiate is above NTLM.

Isaacs answered 8/9, 2011 at 3:20 Comment(2)

is there an equivalent article for iis 7? – Lungwort 8/9, 2011 at 11:12

try here learn.iis.net/page.aspx/267/… or here trainsignal.com/blog/iis-7-troubleshooting for iis7. You the log fiel should still be available for you to look at in iis 7 anyway – Isaacs 8/9, 2011 at 20:40

It sounds like your environment is not setup properly for Kerberos authentication to take place. There are many things that can cause Kerberos authentication failure. E.g. Clock skew on the server or client, missing SPN on the web server, etc.

Normally, when you configure to use Windows authentication, you are asking to use SPNEGO, which means using Kerberos whenever possible and then fall back to NTLM if Kerberos fails. However, this post pointed out that this is no longer true. IE7 stops at Kerberos in certain cases but not falling back to NTLM.

You can try to disable the "Enable Integrated Windows Authentication" as the post suggested. It looks odd but it actually just turns off the SPNEGO, you will still use the NTLM.

I guess Firefox and Chrome works because they are using NTLM but not Kerberos. From my experience, non-Microsoft browser doesn't do Kerberos out-of-box. You need to do some configuration work to make it happens. For example, in FireFox, you need to set the network.negotiate-auth.trusted-uris parameter. See here

Once you confirm the NTLM for IE7 is still working fine. Then, you can post another question to ask how to fix the Kerberos authentication problem for IIS.

Access answered 9/9, 2011 at 5:53 Comment(0)

Solution:

Recommended topics

Hot tags