Microsoft KB Archive/165995

= Valid User Fails to Authenticate with NT Challenge/Response =

Article ID: 165995

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 2.0
 * Microsoft Internet Information Server 3.0

-



This article was previously published under Q165995



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
If you have set IIS to use the Microsoft Windows NT Challenge/Response (NTCR), a valid user may not be able to successfully logon to IIS and will be prompted three times for his or her username and password. Then the user will get the following error message:

Access is denied.



CAUSE
By design, Windows NT Challenge/Response is supposed to pass the user's credentials to IIS and then be validated by the IIS server. If the user has been granted permission, the page will be accessed. If the user has NOT been granted permission, IIS will return the above error message.

It should NOT return an authentication box. However, this may occur when the client is on the same subnet as the IIS server. When IIS challenges the client, the client thinks it should have access even if IIS is set to NTCR, and it pops up an authentication box. The credentials will show the following:

  Resource: Username: Password:

NOTE: The resource will be blank because NTCR failed.

With Basic authentication type enabled, you would see the resource that you are trying to access. If you try and put in any credentials that are valid, it will fail except for the administrator/administrators of that IIS server.



WORKAROUND
To successfully be authenticated all the time, set the authentication type to Basic in Internet Service Manager, WWW properties. As a result, the client will be able to retrieve the correct resource no matter where it resides, and if the user is valid with Logon Locally Rights, he or she will gain access to the IIS server.

Keywords: kberrmsg kbprb KB165995

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.