"HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS

Cause: This behavior may occur if the following conditions are true:

• The IIS 6.0 Web site is part of an IIS application pool.
• The application pool is running under a local account or under a domain user account.
• The Web site is configured to use Integrated Windows authentication only.

In this scenario, when Integrated Windows authentication tries to use Kerberos, Kerberos authentication may not work. To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under. By default, Active Directory registers the network basic input/output system (NetBIOS) computer name. Active Directory also permits the Network Service or the Local System account to use Kerberos.

Resolution: 1.To resolve this behavior when the application pool is running under a domain user account
set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. To do this, follow these steps on a domain controller:

Important An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.

1. Install the Setspn.exe tool. To obtain the Microsoft Windows 2000 version of the tool, visit the following Microsoft Web site:
   http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en The Microsoft Windows Server 2003 version of the Setspn.exe command-line tool is available in the Windows Server 2003 Support Tools that are included on your Windows Server 2003 CD. To install the tools, double-click the Suptools.msi file in the Support/Tools folder.
2. Start a command prompt, and then change to the directory where you installed Setspn.exe.
3. At the command prompt, type the following commands. Press ENTER after each command:
   setspn.exe -a http/IIS_computer's_NetBIOS_name DomainName\UserName
   
   setspn.exe -a http/IIS_computer's_FQDN DomainName\UserName
   Note: UserName is the user account that the application pool is running under.

After you set the SPN for the HTTP service to the domain user account that the application pool is running under, you can successfully connect to the Web site without being prompted for your user credentials.
Resolution: 2. If this behavior occurs when the application pool is running under a local account
To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:

1. Start a command prompt.
2. Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
3. Type the following command, and then press ENTER:
   cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
4. To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:
   cscript adsutil.vbs get w3svc/NTAuthenticationProviders

The following text should be returned:

• NTAuthenticationProviders       : (STRING) "NTLM"