Installation
Troubleshooting
Browser prompts for Username/Password
8 min
integrated security within iis does not work and users are repeatedly asked to enter their username and password by the browser solution the activate intranet site uses a domain service account to run as internet explorer by default attempt to content using kerberos to the activate application this will fail unless the domain service account is registered in active directory option 1 creating service principal names (spns) for domain accounts register an spn for the domain service account and the web server it runs on to create an spn for a domain account install the windows server 2003 support tools from the windows server 2003 installation media open a command prompt and run the setspn tool as follows setspn a http/webservername domain\serviceaccount example (netbios server name) setspn a http/web01 contoso\svcwebapp in this example web01 is the server name contoso is the active directory domain svcwebapp is the domain service account setspn a http/webservername fullyqualifieddomainname domain\serviceaccount example (fully qualified domain name) setspn a http/web01 contoso com contoso\svcwebapp by running the command twice—once for the netbios server name and once for the fully qualified domain name—you associate the service account with both name formats this ensures the spn functions correctly in environments where fully qualified domain names are not used consistently note you cannot have multiple web applications with the same host name if you want them to have multiple identities this is an http limitation, not a kerberos limitation the workaround is to have multiple dns names for the same host, and start the urls for each web application with a different dns name for example, you would use http //app1 and http //app2 rather than http //site/app1 and option 2 disable kerberos integrated security can be used with ntlm authentication by disabling kerberos kerberos can be disabled on the client or on the server to disable kerberos on the client 1\ open browser and select 'tools > internet options' 2\ click on 'advanced tab' 3\ turn off 'security >enable integrated windows authentication (required restart) 4\ click on and restart the browser to disable kerberos on the server (recommended option) iis 6 0 true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type ntauthenticationproviders (string) "negotiate,ntlm" cscript adsutil vbs get w3svc/ website /root/ntauthenticationproviders cscript adsutil vbs set w3svc/ website /root/ntauthenticationproviders "ntlm" iis 5 1 or iis 5 0 true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type ntauthenticationproviders (string) "negotiate,ntlm" cscript adsutil vbs get w3svc/ntauthenticationproviders cscript adsutil vbs set w3svc/ntauthenticationproviders "ntlm" troubleshooting microsoft troubleshooting kerberos failures guide can be found here https //docs microsoft com/en us/troubleshoot/iis/troubleshoot kerberos failures ie