Published on: 23 February 2021
Author: Ramesh Kanjinghat
Do you have an application with Windows Authentication enabled & deployed on IIS and doesn't work with Edge? Other browsers just work fine, you enter the username & password and you are in. But Edge & Internet Explorer just keep asking you for the credentials and you can never get in.
I will start with solution(s) and then will dig a bit deeper to understand what causes this.
Solution 1: This fixes the solution at the server side i.e., in IIS.
-
Open IIS Manager
-
Right Click on Start --> Run --> Type inetmgr and hit enter.
-
If you are running windows 10 then type IIS/inetmgr in the search box and hit enter.
-
Expand Sites under your server node and select you click on your web application.
-
Look for Authentication in the Features View and double click it.
-
Click on Windows Authentication in the Feature View.
-
Assuming "Windows Authentication" is enabled click on Providers.. action.
-
Select Negotiate under Enabled Providers: and hit Remove button at the right.
-
Restart your application
Solution 2: This is not an ideal solution as it requires every client machine to make these changes. But I just want to make sure that I mention all the options that I know.
-
Open Registry editor in the client machine
-
Select the registry entry, Internet Settings under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
-
In the right-side pane right click on EnableNegotiate, hit Modify.. and change Value data to 0, (zero)
-
Restart the machine
Either of these solutions should fix your issue and you should be able to login using Edge/Internet Explorer.
Now that we have fixed the issue how about we try to understand why Edge/Internet Explorer fails to log you in where other browsers work fine.
When it comes to authenticating an intranet, application deployed on IIS the best option is Integrated Windows Authentication. Two of the Authentication Schemes you come across in this scenario are
-
Negotiate: Needs both client and server connected joined with AD DC
-
NTLM (New Technology LAN Manager): Only the server needs to be joined with AD DC
AD DC: Active Directory Domain Controller.
Learn more about Negotiate and NTLM at https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/
When you access an authenticated application through browser the server, our case IIS, responds with a challenge.
- Because we had both Negotiate and NTLM available IIS tells the browser that it can use either of these protocols to authenticate. We can see this in the developer window of the browser.
- By default, Edge and Internet explorer favor Negotiate over NTLM.
So, when it sees Negotiate as an option Edge/IE keeps trying Negotiate protocol even you provide username * password.
- But the browser request with Negotiate protocol fails because the client machine is not joined with AD DC, so the server challenges again.
So, removing the Negotiate from the equation fixes the issue.
With Solution 1 the only option IIS provides with challenge is NTLM. So, Edge/IE use NTLM
With Solution 2 the browser support for Negotiate is removed so it uses NTLM even Negotiate is available with server.