Unable to authenticate and login to the website via Windows Authentication mode when using IIS 7
IIS 7.0 passes the Negotiate security header when Integrated Windows authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:
• One of the systems that is involved in the authentication cannot use Kerberos authentication.
• The calling application does not provide sufficient information to use Kerberos authentication.
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the preferred authentication method.
To make sure that IIS supports both the Kerberos protocol and the NTLM protocol, you must confirm that the Negotiate authentication provider is set in the <providers> collection of the security/authentication/windowsAuthentication section of the applicationHost.config file. There are two ways to do this:
1) If the IIS 6 Management Compatibility component is installed on the IIS 7.0 server, use the following command to set the providers to both Negotiate and NTLM:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
2) If the IIS 6 Management Compatibility component is not installed on the IIS server, use the following commands to set both providers:
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='NTLM']" /commit:apphost
Make sure Windows Authentication in IIS Roles Services are installed.
Server Manager | Role Services | IIS , Add Role services | Enable Windows Authentication