Forcing NTLM Authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

In the following situations, Kerberos authentication fails and you must force IIS to use NTLM authentication by setting the NTAuthenticationProviders Metabase Property to NTLM.

  • Kerberos fails when you isolate Web sites on a virtual directory level by configuring worker process identities as different domain accounts.

  • Kerberos authentication fails if you are using Integrated Windows authentication, are not using a WINS or DNS name for the server running IIS, and you want to use a local user account or the LocalService account as a worker process identity. It fails because Active Directory does not trust these accounts.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

Procedures

To force NTLM authentication

  1. In IIS Manager, right-click the local computer, and then click Properties.

  2. Select the Enable Direct Metabase Edit check box, and then click OK.

  3. Click Start, click Run, type cmd, and then click OK.

  4. At the command prompt, type the following command to change to the directory where the MetaBase.xml file is located:

    cd %systemroot%\system32\inetsrv

  5. To open the file with Notepad, at the command prompt, type the following:

    notepad MetaBase.xml

  6. In the <IISWebServer> section, locate the NTAuthenticationProviders metabase property and modify its setting to read "NTLM".

  7. Save and close the MetaBase.xml file.

  • For information about metabase edit-while-running, see Enabling Edit-While-Running in IIS 6.0.

  • For more information about NTLM authentication, see "Authentication" in Help and Support Center for Windows Server 2003.

  • For more information about Kerberos, see "Kerberos" in Help and Support Center for Windows Server 2003.