How to resolve the issue of Integrated windows authentication asking username and password in Windows Server 2008 R2 , IIS 7.5 ? RRS feed

  • Question

  • User1150861825 posted

    I had server Windows Server 2008 R2, IIS 7.5 

     WebSite has to be accessed from Intranet by authenticated users of different domains.

    Website is running under AppPool custom account

    Only Integrated windows authenitcation is enabled, rest every thing is disabled mode.

    We had tried resolution steps

    1) given full Folder permissions for the custom account of AppPool

    Not Authorized

    HTTP Error 401. The requested resource requires user authentication

    Server Error

    401 - Unauthorized: Access is denied due to invalid credentials.

    You do not have permission to view this directory or page using the credentials that you supplied.

    When website is accessed by users, for many of users, it is working fine,

    for some users, it is asking to enter credentials,

    How to solve this problem..?

    we tried in client machine browser, internet options-->Secuirty -->Disable integrated windows authentication

    with this for some users problem resolved, but they are still some users who are not able to acess the site,

    even though enter credntials, for second time , some can access site, for some even 3 times asking, after that it throws error ?

    please help me to resolve the isse .

    thanks for your help in advance ......



    Wednesday, November 30, 2011 12:24 AM

All replies

  • User989702501 posted

    Looks like client end browser issue.. same version? settings?

    if it works on many but not few, then IIS should not be the problem.

    You can look at those log entries from those problematic client and see if you get more clues from it.

    Wednesday, November 30, 2011 5:42 AM
  • User-620729683 posted

    Does IIS server integrated with AD environment, does all domain have domain trust relation.

    If User belong to different domain and IIS in other domain, then both domain should have trust relation between them.

    Wednesday, November 30, 2011 5:43 AM
  • User1150861825 posted

    IIS server is integrarted with AD Environment.

    all domians are integrated..

    Please help us ..




    Thursday, December 1, 2011 1:08 AM
  • User989702501 posted

    please help us to help you.. is the browser diff for those having problem?

    IIS log files?

    Thursday, December 1, 2011 4:55 AM
  • User1150861825 posted

    all browsers are only IE8/IE9.

    for those users, website is prompting username and password,i checked randomly for some users, if website is accessed by IP Address, instead of direct name, no problem,no prompt for credentials.

    but with direct name it is still asking the username and password,even correctly entering also not able conect.

    Note : This is only intranet website,

    thanks in advance.

    Saturday, December 10, 2011 5:45 AM
  • User989702501 posted

    MMm... have you include the direct name/etc as trusted sites?

    It looks like browser end config to me. Read - http://support.microsoft.com/?id=258063

    Monday, December 12, 2011 10:17 PM
  • User-1904510469 posted

    I ran into this same issue.  In IIS, in the Authentication section for your web app, select Windows Authentication (only mode I have enabled) select Providers (below "Advanced Settings...") from the menu on the right.  This will display the Enabled Providers, I have Negotiate and NTLM displayed.  Highlight NTLM and select "Move Up", click OK.  I then recycled the app pool (just in case) and everything worked as anticipated.  For some reason and I haven't looked into the why, but placing NTLM at the top of the list solves the issue.  I'm guessing that if Negotiate fails, it doesn't fall thru to NTLM like you would expect it to, or there is something not quite configured correctly in our network, but that's up to another area of our dept and out of my hands, but this did solve the issue.


    Tuesday, January 3, 2012 10:59 AM
  • User989702501 posted

    Mm.. can you post the log entries when 'Negotiate' is at the top list?
    In Nego mode, it will try kerberos and NTLM, however there is no fall back to others if both fails, which is kind of weird, at least NTLM should work like when you place it at the top.

    Sunday, January 29, 2012 11:48 PM
  • User27604006 posted


    Did you fix this issue. I am facing same one and don't know how to.


    Friday, September 13, 2013 12:45 PM