Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 294382 - Last Review: December 11, 2009 - Revision: 5.0
Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name
This article was previously published under Q294382
When you are using Internet Explorer on a Windows 2000 or later client and browsing to a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with an HTTP error 401.1, error 401.2, or error 401.3.
Note Internet Explorer clients that are using Windows NT 4 or Windows 95 or Windows 98 will not fail. Also, other authentication schemes will work.
Microsoft ASP.NET users may see an error message that is similar to the following:
Server Error in '<application name>' Application.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. If the host header (Web site name) being requested differs from the NetBIOS name of the IIS 5.0 computer, Kerberos authentication will fail, causing 401.3 errors on the client.
Clients using Windows NT 4 or Windows 95 or Windows 98 succeed because they do not natively support Kerberos and thus use Windows NT Challenge/Response (NTLM) authentication.
- If you are using Kerberos:
Use the SetSPN.exe utility, from the Windows 2000 Resource Kit, to register any host header names of Web sites that are configured to use "Integrated" authentication and will be accessed from Windows 2000 clients. If your Web server is running Microsoft Windows Server 2003 and IIS 6, download the Setspn.exe tool from the following location:970536Â
(http://kbalertz.com/Feedback.aspx?kbNumber=970536/
)
Setspn.exe support tool update for Windows Server 2003
For example:
Server name: webserver1.development.exair.com
Host header: www.exair.com
Use the SetSPN command to register the www.exair.com SPN:SetSPN -S HTTP/www.exair.com webserver1
NOTE: HOST is a default service type that can be used if HTTP is not working in the registered SPN. As an example, you can use the following command to register the www.exair.com SPN to a default service type:
SetSPN -S HOST/www.exair.com webserver1
- If you are not using Kerberos:
Remove Kerberos from the list of authentication providers in Internet Information Services 5.0 by using the following command:cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
NOTE: Adsutil.vbs must be run by a member of the local Admins group on the Internet Information Services computer.
A fresh install of Internet Information Services 5.0 with Integrated Authentication enabled will attempt to authenticate clients with Kerberos first. If a client does not support Kerberos, IIS will send that client an "Authenticate: NTLM" header, forcing it to authenticate using Windows NT Challenge/Response.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
217098Â
(http://kbalertz.com/Feedback.aspx?kbNumber=217098/
)
Basic overview of Kerberos authentication in Windows 2000
266080Â
(http://kbalertz.com/Feedback.aspx?kbNumber=266080/
)
Answers to frequently asked Kerberos questions
215383Â
(http://kbalertz.com/Feedback.aspx?kbNumber=215383/
)
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
248350Â
(http://kbalertz.com/Feedback.aspx?kbNumber=248350/
)
Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0
APPLIES TO
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services 6.0
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate