AuthenticationType Negotiate vs NTLM

Question

AuthenticationType Negotiate vs NTLM

I have the same code base used on two different sites hosted on the same server (IIS 7.5).

For some reason, when I check the Identity.AuthenticationType property for the code behind the http handler, I see NTLM for 1 site and Negotiate for another. This causes some problems, and I need both of them to use NTLM.

Could you help me figure out why this difference is? So far, I see that both IIS sites are configured the same way, but, of course, there is at least one difference that I could not detect. Thanks!

EDIT
I used the this link, which contains instructions for removing the Negotiation provider from IIS. This did not work for me. I performed

appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost

Maybe I did something wrong, but it did not help. I still see "Negotiate" as AuthenticationType

My problem is that I set credentials to impersonate web.config, but don't use them. Instead of using the credentials that I provide, it uses an anonymous user.

And something strange is that Windows Authentication is disabled. I thought "Negotiate" is only used for Windows Authentication.

+4

asp.net iis

Claudio redi Jan 10 '11 at 13:52

source share

4 answers

Vijay · Answer 1 · 2011-08-09T14:16:47+0000

Negotiate will choose either Ntlm authentication or Kerberos on its own. If the site says that Ntlm will only select Ntlm authentication. Check both sites and make authentication the same.

Blackback · Answer 2 · 2014-01-16T01:21:03+0000

Windows authentication must be enabled and anonymous authentication disabled in order to get a registered user (I assume that you are authenticating in the domain and do not want to return to the anonymous user if the user does not, t have authorized credentials using windows auth).

In IIS7.5, to see how providers are used, click Authentication, right-click Windows Authentication, and select providers. You will have a list of allowed suppliers, the order is important. Try to make sure they are the same (in your case there is NTLM at the top of the list).

Sorry for the late reply!

Shiraz bhaiji · Answer 3 · 2011-01-12T18:56:52+0000

First of all, check if there is a difference between the types of authentication that are allowed for each site.

By default, only anonymous is enabled.

rtev · Answer 4 · 2013-09-04T18:09:34+0000

If your version of Internet Information Server (IIS) is 7.0, look at the file <% SystemDrive%> /Windows/System32/inetsrv/config/ApplicationHost.config for a section like this:

 <system.webServer> <security> <authentication> <windowsAuthentication enabled="false"> <providers> <add value="Negotiate" /> <add value="NTLM" /> </providers> </windowsAuthentication> </authentication> </security> </system.webServer>

The documentation for Windows Authentication Providers can provide more details.

The Remove NEGOTIATE message from WindowsAuthentication in IIS section contains instructions for removing Negotiate, which I found useful when I tried to re-enable Negotiate.

AuthenticationType Negotiate vs NTLM

More articles: