IIS 6 Random Authentication

Hello all,

I help support a pretty large network. Approx 800 computers. I have been troubleshooting an Issue for about a week now and have only minimized the effects.
What happens is our users here use a tool on our local intranet, it is randomly prompting them for thier domain login and password.

This was happening to the entire website until i enabled Anonymous Access for the whole site. Now, cool it seemed to work. Except the agents here need 2 specific tools that require thier username and password.
I enabled Windows Integrated Authentication for these 2 specific tools and they work, most of the time. it seems pretty random but every once in a while the users are prompted to enter the domain name and password again, when they enter thier info, it does not accept thier credentials and eventually locks out thier account.
ill try drawing a diagram.

]-anonymous Auth
|
|]-Windows Integrated
|]-Windows Integrated

Im trying to show that for the main site in IIS i have set to just anonymous, there are 2 tools under that, that require Windows Auth.

The only temp fixes i have are to:
1) repair the connection
2) close all IE windows then repair the connection
3) Reboot the computer.
4) wait it out - sometimes it will just start working again

I have narrowed it down to an IIS Issue by going to the client and verifying that the intranet sites are added to the trusted sites in local intranet. I went a step further and went to Custom level under security and tried with all 4 different user authentication settings. (this overrides the Enable Windows Integrated Authentication in the advanced tab if IE) if there is anything else I can verify on the client please state it.

We are also in the middle of a Domain migration, We migrated the webserver over to the new domain, then this started happening. There is a 2-way Non transitive trust between the domains, i have migrated some user accounts over to this new domain (the same as the webserver) and the users say they get asked for thier credientials too. I believe that this means the trust is intact and pushes the issue to IIS.

Currently i walk the floor checking to see if someone is getting the error, when i get someone i have a test website setup and i compare and troubleshoot the issue until thiers starts working again, however it only works by using one of the temp fixes listed above. Im reading up on IIS authentication and researching more on technet and google but have not found any fixes.

currently i have 6 months experience in an IT Department, and our Sr. Tech left last week, leaving myself and the IT manager.

any suggests are worth posting.
Thanks everyone in advanced for your efforts.

Thanks for such a comprehensive post
Applying the golden rule of "what changed last?", I have a gut feeling this could be a knock-on effect of your domain migration. What are you migrating here? We did an NT4 to Active Directory migration and during the transitional period it threw up a number of 'funnies' not unlike this.
Another line of investigation would be to check not only the acccess permissions for the users in IIS but also the basic access permissions of the users to the actual files and folders that make up the website(s). It could just be that something has crept in here.
The fact that it happens sometimes and not others though makes me suspect a domain-related authentication issue of some kind

Thx for the info Bishop!
We are running a native Server 2003 & all clients are XP.
We were running the samething before, just consolidated some of the other servers, and our business unit is all being migrated to this new domain.
I actually havent checked the permissions on the folders individually (im going to do that now). All folders inherit the permissions from its parent, when i checked the top one, it had read & write for the Domain users group. Ive even tried adding the everyone group with the same results.

I have a couple more interesting developments. When our users are prompted to enter thier current username and passwords, they are for the old domain and get rejected. When i enter my info i am logged in right away. my account is an admin account in the old domain and i am not prompted to login again until i close all IE windows and re-open the intranet site and click to use the tool.

i have been seeing somethings online about NTLM causing things like this, and i did find something in event viewer on a client last night that said:
The Kerberos client received KRB_AP_ERR_MODIFIED error from the server host/<webserver name>. This indicates that the password used to encrypt the kerberos service ticket then that on the target computer. This could be caused by identical machine name accounts in the target realm <New Domain>, and the client realm.

However in the AD users and computers snap-in for the new domain, we have not created the new computer accounts, we've only been testing by moving over some users at a time, and observing the effects.

I do agree with you Bishop on the Domain-related authentication. Its just hard to pin point. I have been able to recreate the issue with another website hosted by the same IIS server. I have the same permissions setup and am just using windows integrated authentication.

thx again to all who have any suggestions.

sorry but your post hurt my head I couldn't finish it.


I don't know IIS that well anyway

I've been thinking about this but haven't come up with anything new yet.
Dalight has one of the biggest brains in the northern hemisphere, I wonder if he has any ideas? Over to you O educated one...

Have you definitely removed the Webserver Machine account/Computer Object from the old domain?