Microsoft KB Archive/827991

= FIX: &quot;HTTP error 401.1 - Unauthorized: Access is denied due to invalid credentials&quot; error message if the Basic authentication Default Domain property is set to a backward slash character (\) in IIS =

Article ID: 827991

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-





SYMPTOMS
When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you may be prompted multiple times for a user name and a password. After you enter the correct user credentials, you may receive the following error message:

You are not authorized to view this page

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.



CAUSE
This problem may occur if the Default Domain property for Basic authentication is set to a backward slash character (\). In earlier versions of IIS, you could set the Default Domain property to a backward slash character (\) to allow the Web server to validate the logon credentials of a user against all trusting domains. However when you set the Default Domain property to a backward slash character (\) on a computer that is running Windows Server 2003, IIS will no longer allow the search for user credentials in all trusted domains.



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Date        Time   Version       Size     File name -- 14-Jun-2004  18:02  6.0.3790.109  337,408  w3core.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
Basic authentication requires that you enter a domain name together with a user name. Therefore, an administrator may want to set the Default Domain property for Basic authentication to the most common domain that is used. This allows users in that domain to type only a user name and a password. After this, the default domain is used. This behavior will still work in IIS 6.0.

However, if users can use more than one domain, you could configure earlier versions of IIS so that the Default Domain property contained a backward slash character (\). The backward slash character (\) indicated that IIS should search all trusted domains for that user name.

However, in IIS 6.0 that behavior has changed and using the backward slash character (\) no longer works in this way. Users must type the domain name together with the user name by using the following format:

In Exchange Server 2003, Forms-based authentication automatically sets the default domain for Basic authentication on the Exchange virtual directory in Exchange System Manager to a backslash character (\). This restriction is designed to support user logons that use the UPN format. If you modify the default domain setting in IIS to anything other than the default domain setting of &quot;\&quot;, Exchange System Manager resets the default domain setting to &quot;\&quot; on the server. This change requires users to enter the domain, the username, and the password to log on to Outlook Web Access. After you apply this hotfix, users only have to enter the username and the password to log on to Outlook Web Access when you use Forms-based authentication.

