bpraveen's Blog

A Business Critical Website hosted on IIS on Windows 2000 server which has configured with Windows Authentication, suddenly was not accessible. users are getting 401.1 and 401.2 authentication failure errrors. When investigated we found that the SPN for the website is missing from AD. And users are getting authentication failures.
The website can be configured to be authenticated by Kerberos and NTLM if required.

Lets see how this works.
A website hosted on IIS can use both Kerberos and NTLM protocols for authenticating users. There is an option for negotiate authentication in the authentication methods. so, we negotiate authentication is selected then it will try to get autheticate users by Kerberos Protocol. If this fails, then fall backs to NTLM.
So what is required to get authenticated by these 2 protocols.
Kerberos Authentication: kerberos authentication requires an SPN registered for the URL in Active Directory.
NTLM Authentication: If Kerberos fails then NTLM authentiction should take place. In order to have NTLM Authentication successfully, you need to enable an option called “HTTP Keep-Alive” settings in the webserver properties.

In the above issue mentioned. neither the SPN is registered nor the HTTP Keep-Alive settings is enabled. Both the authentication methods were failing. Seems some one accidentally removed SPN or/and disabled HTTP Keep-Alive setting.

To know more about how to configure IIS to support both Kerberos Protocol and NTLM Protocol for network authentication, see the below link.
http://support.microsoft.com/kb/215383
Also you can find what changes in IIS 6.0 at
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b037954-441d-4037-a111-94df7880c319.mspx?mfr=true