Hello. At a loss here. Have been trying to get windows authentication working on the CertSrv site for Certificate Enrollment. All I get is a logon box that comes up from domain computers. Even if I enter creds in three times I then get the Not Authorized- Error 401. The requested resource requires user authentication. Now just trying on basic htm file.
Would like to use Kerberos. Here is what I have done and tried. Perhaps somene can help.
Removed Enrollment and installed only IIS- added virtual dir and application (basic htm message for testing)
App pool is using default AppPoolIdentity
Default web site and application - Authentication and disabled Anonymous and Enabled Windows Authentication
Provider list order is Neg then NTLM
From the local server http://localhost/test the test page comes up
From Domain computers I get a logon box etc to the same page.
http://servername is added to the local intranet along with *.domainname
***If I go into providers for the site and app and move NTLM up above negotiate it will work but my understanding and I may be wrong is that this is not best practice???
I would really like to have it use kerberos tried the following with the same result: (My understanding here is that by default even though it says Neg and NTLM it will try Kerberos 1st, I dont need to add the provider neg:kerberos???
(Authentication | Windows -Enabled | Advanced | unchecked Enable Kernel-mode Authentication.
Restarted and still getting same logon box presented from domain computers
So changed it back to being checked
Created a domain user account mem1pool and added to local IIS_IUSRS group on the web server
setspn -s http/servername domainname\mem1pool
ADUC mem1pool | delegation | Trust to specified services (host and rpcss)
Server IIS | Application Pool | Default | Advanced and changed from ApplicationPoolIndentity to domain user I created. (never tried network service etc)
Restarted everything and am still getting the same logon box that presents three times and then the 401 error
What am I missing???? :-/