Internet Explorer - Enable Integrated Windows Authentication
by admin on Feb.19, 2008, under Software, Systems
So I ran across something kind of interesting the other day. I was setting up Microsoft CRM 4.0. I got the server setup and the website configured but when I went to the website it prompted me for my username and password. I would type it in and the authentication would fail. I tried it in Firefox and it would work using my correct logged in credentials which is what Integrated Windows Authentication is.
So I check out my IIS settings, I have anonymous access disabled and Integrated Windows Authentication is checked. Why would Integrated Windows Authentication work in Firefox but not in IE. I go into Internet Options on my browser and select the advanced tab. There is an option “Enable Integrated Windows Authentication” and I have it enabled. I tried a couple of more times to make sure I wasn’t fat fingering my login and still get 401 authentication errors.
Well I thought just for the heck of it I would try unchecking the “Enable Integrated Windows Authentication” box in IE. I restarted my browser and bang it works, doesn’t prompt for password or anything. So I uncheck use Integrated Authentication and the Integrated Authentication starts working. Now I am really scratching my head.
I start searching through user groups on the Internet and I finally find the answer. In IE 6 and IE 7 the browser will use Integrated Windows Authentication if you have that checkbox enabled or disabled. The difference is the authentication type. With the box checked it with try Kerberos authentication first then fallback on NTLM. If you uncheck the box then it will just use NTLM. Thank you Microsoft for mislabeling that feature. The really annoying thing is if both ends support Kerberos authentication, you have that Integrated Windows Authentication box checked, and Kerberos fails it will not fail back to NTLM. The only way it will fail back to NTLM is if your website doesn’t support Kerberos.
What I ended up finding out was that Kerberos authentication was broken on my CRM server, quick workaround was to uncheck the box in IE. The problem with that is most features in CRM 4.0 don’t work on NTLM. I will post another time on how I fixed Kerberos on that server.
April 30th, 2009 on 6:07 am
How can I contact you? I got the same problem in CRM 4.0. I am using Windows 2008 Server and Vista.
September 9th, 2009 on 7:21 pm
Thank you very much for posting the info. I have the same problem for one of my web applications. How did you fix the kerberos on the server?
Thanks
December 11th, 2009 on 1:54 pm
Did you ever fix the kerberos problem? I have the same issue with an Exchange 2007 OWA site.
April 22nd, 2010 on 5:48 am
I’ve spend about 4 hours to fix this problem. This was causes after I ‘raised the domain functionality’. In our situation these were the two problems;
- In my network properties an DNS suffix was given, because the domain functionality was updated this wasn’t needed so I’ve deleted it.
- Second was there was no SPN for the FQD so I’ve added this also by using setspn -a http/crmserver.domain.local crmserver
Al this information I’ve found on this link below http://blog.sonomapartners.com/2007/04/kerberos_and_de.html
May 26th, 2010 on 2:23 pm
Actually work if you want to force NTLM, do it a the server level (from IIS7 - do it a the root enable Windows Authentication on top of the one set in your web.config) and that will prevent kerberos from taking over ! - no need to untick the box !
June 8th, 2010 on 8:51 am
Thanks for the posting, we had the same problem.
with that setting.
Greetings,
Claudio
August 5th, 2010 on 2:38 pm
Seeing another issue that is driving me mad. occasionally users who have an active session out of the blue get prompted for their credentials. We are only using Integrated Authentication and their browser trusts the IIS server along with the trusted site settings are set for use current user name and password. I am trying to trap the error in the event logs but the end users are not giving me adequate information like when it happened and what exactly were you doing. We are seeing this domain wide and on many different IIS servers.
September 1st, 2010 on 10:32 am
Another good reason to give IE the boot !!