I'm trying to use NTLM authentication on an intranet web application. The setup is using IIS 7.5 on Server 2008 R2.
When I navigate to the page I have Windows Authentication enabled for the dialog is properly displayed and allows me to authenticate in Chrome and Firefox, but IE seems like it's sending the wrong Negotiate token.
I'm assuming that IE is just configured incorrectly, though I've searched all over and can't figure out what's wrong.
I ran Fiddler and the headers sent back from the server when the page is first hit look like the following:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 03 Dec 2015 21:49:09 GMT
Content-Length: 6333
Proxy-Support: Session-Based-Authentication
When I then try to log in with the different browsers the responses look like the following. Both the Firefox and Chrome responses succeed and IE fails. Oh and I've tried IE 11 as well and that also fails. I'm assuming that header will look similar but I can provide that if someone would like to see it as well.
Any thoughts on what is wrong with IE would be greatly appreciated.
Firefox responds to the server with:
Host: intranet.gwlisk.com:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Chrome responds to the server with:
Host: intranet.gwlisk.com:81
Connection: keep-alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
IE responds to the server with:
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: intranet.gwlisk.com:81
Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBccEggXDYIIFvwYJKoZIhvcSAQICAQBuggWuMIIFqqADAgEFoQMCAQ6iBwMFACAAAACjggShYYIEnTCCBJmgAwIBBaEMGwpHV0xJU0suQ09NoiYwJKADAgECoR0wGxsESFRUUBsTSU5UUkFORVQuZ3dsaXNrLmNvbaOCBFowggRWoAMCARKhAwIBLKKCBEgEggREiBz3izdz2e6f2QlRDCsMUyiXrIeosQvaD3n9RzikkU2ng01QLltM0IVSiSCp3jb0vF4CyRJ/ANk19hQ9rNiFA9A4PBBWvvK9/FKtedv8fw3wVun0ZUXs0cGwNjAM25gRveWb3GVRwgZWa4/NHVmS6cg3wVXbQtM0izJT4IAQEuuhGHGT6dJvnuEj8rpZn+JWdPBvoVDcMnhAQVvZpT5aDtb94WJNxrpGt+H5BXN4/MV4UNQh9T4fFvhe5yTb3nqaDnhR7p6X2V4ZBDqbNuRh9AtSHQ8IdReE0El41b1kAhbqBAKnFmI3H1mNY/SQUaGisEmNC0ZXz9fZL/f5ig6CLSuNAND97c76UlhAm80yYMXYyk+XxPepczlMziyvL//bbdJ2l9K9EJineQ5UsmsERPp9EXaAwI6IzUxjCJ9e4y6mwQTllAKkvz4QCzI2N5CoMuo5T7fChSOf64WElPR9eez345/NsgAgQm0EqG6CC0WlD1UFIlgdxaPnhaAyFUi+bGxAx5Ih1yiNfsjCBd78sBn4rdnoYmqWpXnJF4xeR5vfhBSONXHwdLvrIXXmXMua+XBo6HhShE/e+3UHZm/S7fRgX8kbuADOjveKb7NEhlPCkWjPoqBbH6vC8nQ7Ul/Nwh4sbQJTTnGOnu5MPMfFNSFq/Ey4cjz300xMGwK9bJlLkcaEeRBG/ehoNeCOxJ8FuJTWP933uCpKsNaQQ+3P3bEeWye7V3srjG2SiFpP/5l04pwagQbCFtabSl1WAp+W8JkCIsc5pJlZKh1FkV+YGzpdPYrlf7q9PimCEESIDl4wGaAJqT2hgHCi15fViAPXFnQDiKwNd3skuHpjKZbt3Od67J3eLm1hjutX+bO5j1aVkFpci/6DEsnUYNOKttFGaEeyGy/3urEpI3rPWvpdLCgnueplkdf/ay9I58adCaF8DnW9uQ7s9SrhXL5PyMY1mWjeyl5/kKKAHEWXX1TgaPXVjt/pwJ861dTiXkryzpNE26IGjvvXpa7ixfCW+8Z8JDRQPhRiq56AvgMo3M05IBaLBLRfUDJ8Q9+UMIUNx+GLosfXgtqUQnfcX5oAVagXX4ejk3kX0ci8DS2wJBic9VZToFcKD3tG6tT2WKA3AX+++yk95UMQQSDBeJVBb2dgVM0ee1Ks2qFsMin4I7+DxAGvaPol3JN3EMA+qcufvu9EdYTKGdbyMCBD4qCECpPkDyF8ffdCrzBYj11mzMHG1OG926jhkZqBV0ZsJg22DorxHK6P+ZiU519JxwC/cxOR8R3MrutnuR+umuwEWzNdN0TdjvADLpLKlz0bsUfr5Hrphfg1/5HlHTIcYYWtW+9tcrpf7Pz+cEZLlFXaWcz6z/epUISwYOZt0rMDmi7GyVKGxQ8uyTQVq6szvv3la8olfzQhaI22jgXyuTotDobf9yDQxNyo4aR6jgJmQik7uojhbpEBpIHvMIHsoAMCARKigeQEgeHuXoC4DBkyyg7aiwf79OzunlBTFj/PXwyFXev5e5goqYbQIbNiXXRktrXZOMqZFqdVeMLSkfHfxTazso1tdjSrQT4mtIlLQ9SO+azMCvKnVrYjF/NMCZ3ePb/vjvPrlZh1r/9Nupce5HSDe+6upM8aYkC6+nCKHOC4ykiCWUZhFkdXERU+3L6C1IaL+PgU3yeD6ri+SVbYVUNw3cTR/luR6BZef66A4Ga7uOYgXCd/d4CxS6PIg5VqYZLqHkSLK8UbvwUQuN/XWLR5wpGZr3DRgZ0+ZT6lVUansy8ab8VxkSk=
It seems as though the token IE is passing here is a Kerberos token instead of an NTLM token (if I have my terminology correct). I resolved this problem by removing the Negotiate provider that implements the Kerberos authentication and now everything works as expected.