Browser prompts for Username/Password

integrated security within iis does not work and users are repeatedly asked to enter their username and password by the browser solution the activate intranet site uses a domain service account to run as internet explorer by default attempt to content using kerberos to the activate application this will fail unless the domain service account is registered in active directory option 1 creating service principal names (spns) for domain accounts register an spn for the domain service account and the web server it runs on to create an spn for a domain account install the windows server 2003 support tools from the windows server 2003 installation media open a command prompt and run the setspn tool as follows setspn a http/webservername domain\serviceaccount example (netbios server name) setspn a http/web01 contoso\svcwebapp in this example web01 is the server name contoso is the active directory domain svcwebapp is the domain service account setspn a http/webservername fullyqualifieddomainname domain\serviceaccount example (fully qualified domain name) setspn a http/web01 contoso com contoso\svcwebapp by running the command twice—once for the netbios server name and once for the fully qualified domain name—you associate the service account with both name formats this ensures the spn functions correctly in environments where fully qualified domain names are not used consistently note you cannot have multiple web applications with the same host name if you want them to have multiple identities this is an http limitation, not a kerberos limitation the workaround is to have multiple dns names for the same host, and start the urls for each web application with a different dns name for example, you would use http //app1 and http //app2 rather than http //site/app1 and http //site/app2 option 2 disable kerberos integrated security can be used with ntlm authentication by disabling kerberos kerberos can be disabled on the client or on the server to disable kerberos on the client 1\ open browser and select 'tools > internet options' 2\ click on 'advanced tab' 3\ turn off 'security >enable integrated windows authentication (required restart) 4\ click on and restart the browser to disable kerberos on the server (recommended option) iis 6 0 1 click start , click run , type cmd, and then press enter 2 locate the directory that contains the adsutil vbs file by default, this directory is c \inetpub\adminscripts 3 use the following command to retrieve the current values for the ntauthenticationproviders metabase property\ in this command, website is a placeholder for the web site id number the web site id number of the default web site is 1 warning do not perform a copy and paste operation to paste the command from this article this operation may cause issues with the property setting to avoid these issues, type the whole command at a command prompt note this command fails if the ntauthenticationproviders metabase property is not defined for more information, see the note earlier in this section if kerberos is enabled, this command returns the following information 4 if the command in step 3 does not return the string "ntlm," use the following command to disable kerberos 5 repeat step 3 to verify that the result is "ntlm" ntauthenticationproviders (string) "negotiate,ntlm" cscript adsutil vbs get w3svc/ website /root/ntauthenticationproviders cscript adsutil vbs set w3svc/ website /root/ntauthenticationproviders "ntlm" iis 5 1 or iis 5 0 1 click start , click run , type cmd, and then press enter 2 locate the directory that contains the adsutil vbs file by default, this directory is c \inetpub\adminscripts 3 use the following command to retrieve the current values for the ntauthenticationproviders metabase property warning do not perform a copy and paste operation to paste the command from this article this operation may cause issues with the property setting to avoid these issues, type the whole command at a command prompt note this command fails if the ntauthenticationproviders metabase property is not defined for more information, see the note earlier in this section if kerberos is enabled, this command returns the following information note by default, the ntauthenticationproviders metabase property is set to negotiate,ntlm when you install iis 5 1 or iis 5 0 4 if the command in step 3 does not return the string "ntlm," use the following command to enable the negotiate process 5 repeat step 3 to verify that kerberos has been disabled ntauthenticationproviders (string) "negotiate,ntlm" cscript adsutil vbs get w3svc/ntauthenticationproviders cscript adsutil vbs set w3svc/ntauthenticationproviders "ntlm" troubleshooting microsoft troubleshooting kerberos failures guide can be found here https //docs microsoft com/en us/troubleshoot/iis/troubleshoot kerberos failures ie https //docs microsoft com/en us/troubleshoot/iis/troubleshoot kerberos failures ie