Fixing the 401.1 Access Denied Error

This is classic example of why the .NET InfoView will not work with Kerberos and Windows AD authentication along with NTLM. Although one makes sure that all installation and settings are done as per the book, .NET InfoView gives “Access Denied … 401.1 …” and this is specific to IIS 6.0 and might not apply to IIS 5.1 or less.

By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. To verify,

• Open the command prompt (Click Start, then click Run and type in CMD) and change the directory to c:\Inetpub\Adminscripts
• Then run this command: cscript adsutil.vbs get w3svc/NTAuthenticationProviders
• It is suppose to give this output:

          NTAuthenticationProviders : (STRING) "NTLM"

         But you’ll get this.

Fig 01 - Adminscripts contents

This means that you cannot use IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only.

Now you will have to force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only if you have multiple application pools that run under different domain user accounts.

Now run this command: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

Fig 02 - NTLM Assignment

The screen will show the assignment of “NTLM” to NTAuthenticationProviders

This solution is provided by Microsoft under KB215383

One can also delete the negotiation of NTLM by running the command cscript adsutil.vbs DELETE

Other help commands are given under this: cscript adsutil.vbs help

I hope that this will be useful to someone. Comments and corrections are welcome.

*
**
***