Users are Repeatedly Prompted to enter their Username and Password

5 min

problem integrated security within iis does not work and users are repeatedly asked to enter their username and password by the browser setspn must be used to create a spn for the service account for older versions of windows server solution the activate intranet site uses a domain service account to run as internet explorer by default attempt to content using kerberos to the activate application this will fail unless the domain service account is registered in active directory option 1 creating service principal names (spns) for domain accounts register a spn for the domain account and server to create an spn for a domain account install the windows server 2003 tools from the windows server 2003 cd from a command prompt, run the setspn tool as follows note you cannot have multiple web applications with the same host name if you want them to have multiple identities this is an http limitation, not a kerberos limitation the workaround is to have multiple dns names for the same host, and start the urls for each web application with a different dns name for example, you would use http //app1 and http //app2 rather than http //site/app1 and http //site/app2 option 2 disable kerberos integrated security can be used with ntlm authentication by disabling kerberos kerberos can be disabled on the client or on the server to disable kerberos on the client 1\ open browser and select 'tools > internet options' 2\ click on 'advanced tab' 3\ turn off 'security >enable integrated windows authentication (required restart) 4\ click on and restart the browser to disable kerberos on the server (recommended option) iis 6 0 1\ click start , click run , type cmd, and then press enter 2 locate the directory that contains the adsutil vbs file by default, this directory is c \inetpub\adminscripts 3 use the following command to retrieve the current values for the ntauthenticationproviders metabase property cscript adsutil vbs get w3svc/website/root/ntauthenticationproviders in this command, website is a placeholder for the web site id number the web site id number of the default web site is 1 warning do not perform a copy and paste operation to paste the command from this article this operation may cause issues with the property setting to avoid these issues, type the whole command at a command prompt note this command fails if the ntauthenticationproviders metabase property is not defined for more information, see the note earlier in this section if kerberos is enabled, this command returns the following information\ ntauthenticationproviders (string) "negotiate,ntlm" 4 if the command in step 3 does not return the string "ntlm," use the following command to disable kerberos cscript adsutil vbs set w3svc/website/root/ntauthenticationproviders "ntlm" 5 repeat step 3 to verify that the result is "ntlm" iis 5 1 or iis 5 0 1\ click start , click run , type cmd, and then press enter 2 locate the directory that contains the adsutil vbs file by default, this directory is c \inetpub\adminscripts 3 use the following command to retrieve the current values for the ntauthenticationproviders metabase property cscript adsutil vbs get w3svc/ntauthenticationproviderswarning do not perform a copy and paste operation to paste the command from this article this operation may cause issues with the property setting to avoid these issues, type the whole command at a command prompt note this command fails if the ntauthenticationproviders metabase property is not defined for more information, see the note earlier in this section if kerberos is enabled, this command returns the following information\ ntauthenticationproviders (string) "negotiate,ntlm" note by default, the ntauthenticationproviders metabase property is set to negotiate,ntlm when you install iis 5 1 or iis 5 0 4 if the command in step 3 does not return the string "ntlm," use the following command to enable the negotiate process cscript adsutil vbs set w3svc/ntauthenticationproviders "ntlm" 5 repeat step 3 to verify that kerberos has been disabled troubleshooting microsoft troubleshooting kerberos failures guide can be found here https //docs microsoft com/en us/troubleshoot/iis/troubleshoot kerberos failures ie