IIS has five verification methods: Allow anonymous access, integrated verification, basic verification, summary authentication of Windows domain servers, .NET Passport authentication. In the company, we have used the way of integrated verification, that is, employees in the company use as long as he logs in the domain, then he accesses any sites we publish, do not need to enter the username and password, directly use the login of Windows domain accounts and The password is verified. However, I have never noticed that even if the integrated verification method is used, IIS has different verification modes during the actual verification:
Kerberos and NTLM authentication
The Internet Information Services (IIS) will pass the NEGOTIATE title when the integrated Windows authentication is used to verify the client request. The Negotiate Security Title allows the client to choose between Kerberos and NTLMs. Negotiate will choose Kerberos unless one of the systems related to authentication cannot use it or calling applications to provide sufficient information required to use Kerberos.
We do not feel such a verification method when visiting these sites within the company. When we release these sites to the Internet via ISA2000, then access these sites (login fields) on the Internet, we discover that the authentication dialog box will pop up in Windows2000, ask you to enter the username and password, and under XP Sorry tells you that you can't find this page. What has actually happened? After many of our multi-party monitoring, the problem is on this Negotiate, if we do not use the Negotiate title, choose the NTLM authentication mode, even in the Internet, as long as you log in, you can't find the domain controller, it is possible The username and password are not required by being stored in the unit's buffer login).
Therefore, we can set IIS to only NTLM authentication.
1. Click Start, click Run, type CMD, and press Enter.
2. Find the directory that contains the AdsUtil.vbs file. By default, this directory is C: / INETPUB / ADMINSCRIPTS.
3. Use the following command to retrieve the current value of "NTAUThenticationProviders":
Cscript Adsutil.vbs Get W3SVC / NTAUTHENTICATIONPROVIDERS
4. Disable NEGOTIATE to force IIS only to send NTLM titles. To disable negotiate (thus blocking Kerberos authentication), use the following command (note "NTLM" must be capitalized to avoid any adverse effects):
Cscript Adsutil.vbs Set W3SVC / NTAUThenticationProviders "NTLM"
