I have a site running in IIS 7.5 that is accessed using a DNS alias other than the actual server name. In IE 8, integrated authentication fails, but everything works fine in Firefox and Chrome. (IE calls the account several times, then displays the page with error 401.1.)
I realized that this is because IE uses Kerberos (aka "Negotiate") on top of NTLM, and Kerberos requires registration of the service principal name (using SETSPN) so that the mismatch between the DNS name and the server name is handled correctly.
My website, however, does not need to be personified - just having delegation. So instead of messing with SetSPN, I just wanted to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.
I was looking quite a while to find out how to do this in IIS. I played with many teams appcmd, but I just can’t find online examples or figure out how by reading the MSDN documentation or using appcmd /?so that the commands appcmdapply only to a specific application on the site than to the entire web server. A few hours of searching after more than two days and at least 3 dozen web pages visited, I still find myself barren.
How can I do this - it seems that it should be so simple!
ErikE source
share