Microsoft KB Archive/294382

= Authentication may fail with &quot;401.3&quot; Error if Web site's &quot;Host Header&quot; differs from server's NetBIOS name =

Article ID: 294382

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q294382



SYMPTOMS
When you are using Internet Explorer on a Windows 2000 or later client and browsing to a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with an HTTP error 401.1, error 401.2, or error 401.3.

Note Internet Explorer clients that are using Windows NT 4 or Windows 95 or Windows 98 will not fail. Also, other authentication schemes will work.

Microsoft ASP.NET users may see an error message that is similar to the following:

Server Error in ' ' Application.

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Description: An unhandled exception occurred during the execution of the current web request.

Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.



CAUSE
During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. If the host header (Web site name) being requested differs from the NetBIOS name of the IIS 5.0 computer, Kerberos authentication will fail, causing 401.3 errors on the client.

Clients using Windows NT 4 or Windows 95 or Windows 98 succeed because they do not natively support Kerberos and thus use Windows NT Challenge/Response (NTLM) authentication.



WORKAROUND
 If you are using Kerberos:

Use the SetSPN.exe utility, from the Windows 2000 Resource Kit, to register any host header names of Web sites that are configured to use &quot;Integrated&quot; authentication and will be accessed from Windows 2000 clients. For example:

Server name: webserver1.development.exair.com

Host header: www.exair.com

Use the SetSPN command to register the www.exair.com SPN:

SetSPN -A HTTP/www.exair.com webserver1

NOTE: HOST is a default service type that can be used if HTTP is not working in the registered SPN. As an example, you can use the following command to register the www.exair.com SPN to a default service type:

SetSPN -A HOST/www.exair.com webserver1

 If you are not using Kerberos:

Remove Kerberos from the list of authentication providers in Internet Information Services 5.0 by using the following command:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders &quot;NTLM&quot;



NOTE: Adsutil.vbs must be run by a member of the local Admins group on the Internet Information Services computer.



MORE INFORMATION
A fresh install of Internet Information Services 5.0 with Integrated Authentication enabled will attempt to authenticate clients with Kerberos first. If a client does not support Kerberos, IIS will send that client an &quot;Authenticate: NTLM&quot; header, forcing it to authenticate using Windows NT Challenge/Response.

