Integrated Windows Authentication not working in IE only

iis login internet-explorer-8 integrated-authentication
17,646

Solution 1

Chances are this is due to a broken SPN somewhere.

I suspect that the non-Microsoft browsers don't do Kerberos (or at least, don't do it in the same way as IE does).

This means that IE might be attempting a Kerberos logon, where the others might well be using NTLM.

If an SPN exists for http/www.example.com or host/www.example.com, and it isn't owned by the account that runs the Application Pool, that'd be a good reason for this type of break.

On Windows 2008 or later: SETSPN -X will check for duplicates; SETSPN -Q http/www.example.com will look for owners of that specific SPN.

Fix your SPN problem, and you'll probably fix IE logons being broken.

Other guidance might tell you to disable Integrated Windows Authentication in IE Advanced properties; that's a boneheaded move which breaks Kerberos for everything and covers up the problem.

More here.

Solution 2

This was mentioned in passing in one of the comments, but I wanted to call it out specifically in case anybody else finds it useful. I was having this same problem and I was able to resolve it by changing the App Pool Identity. This is found under "Advanced Settings" for the given App Pool.

Someone had set this value to "AppPoolIdentity" but I had to set it back to "NetworkService" to fix the problem.

(I tried to post an image, but I need more reputation apparently. If someone upvotes this answer then I can add the image.)

Solution 3

The broken SPN answer appears to be correct. This means that you may need to point out the problem to your IT/IS department if you want to get Kerberos set up correctly.

I do not recommend the "disable the Enable Integrated Windows Authentication" solution, because it requires normal users to go in and click something that they may not even have permission to change depending on how administrators have configured IE.

In the event that the Kerberos setup isn't getting fixed anytime soon, the more flexible solution is to go to the app in IIS, click Authentication, highlight the Windows Authentication line (which should be marked enabled, with everything else disabled), and then click the "Providers..." link on the right. There will likely be two entries, "Negotiate" and "NTLM", with Negotiate on top. Move NTLM to the top. While this forces your site to use NTLM, which is a security risk, but it's the only option if Kerberos is unavailable.

Share:
17,646
CoreyT
Author by

CoreyT

I code, sometimes well other times not so much.

Updated on September 17, 2022

Comments

  • CoreyT
    CoreyT almost 2 years

    In my site I have one folder that does not allow anonymous access. It is set up to use Integrated Windows Authentication as it is on an AD domain. The login works fine in Firefox, Chrome, even Safari, but not IE8. Has anyone encountered this before? I can't seem to find anyone else with a similar issue, except for where the login fails in all browsers of course.

    • MikeT
      MikeT almost 14 years
      Sorry for too many questions, but want to understand a bit more. What is the version of IIS? Is it a .net application and the folder is it on the same server or on another box?
    • Eric C. Singer
      Eric C. Singer over 12 years
      are you trying to get IE to login automatically, or can you not login at all?
  • CoreyT
    CoreyT about 14 years
    Out intranet is just a subfolder in the main site, so just www.example.com/intranet. I've tried putting the domain in the login box in front of the username, but that didn't make a difference.
  • kingdango
    kingdango about 12 years
    I believe this answer is correct. My site using Windows Auth worked fine for IE and Chrome. Then I changed the site's Application Pool identity and following that authentication stopped working in IE -- though it worked in Chrome. IE would present the user/pass dialog, I would put in the appropriate credentials but login would fail. The fix for me (I believe) was disabling the Enable Integrated Windows Authentication option in IE settings.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Weird IIS with Windows Authentication + IE problem
IIS 8.5 IISManagerAuth Provider 530-User cannot log in
Reading a CSV file using jQuery
SQL Server Login error: Login failed for user 'NT AUTHORITY\SYSTEM'
Internet Explorer 8 EmulateIE7 Mode not working
Flutter web base href subfolder
How to save a username locally and display it in every page flutter
Flutter + Firebase updateDisplayName when creating account with Email and Password
How to get return POST API in Flutter
Flutter: How to handle screens that require authentication?