When accessing a web page in the OutSystems platform that requires Windows Integrated Authentication (WIA), you are not able to login by using Internet Explorer and/or Microsoft Edge. You are able to login using other browsers (Chrome, Safari, Firefox, etc).
The problems happens as follows:
- You are inputting the correct username and password;
- When using another browser, you are able to log in at first attempt;
- When using Internet Explorer and/or Microsoft Edge, the password is never accepted. After a few attempts, an error message 401 Unauthorized is presented.
This is a known-issue caused by having the NEGOTIATE protocol enabled for Windows Integrated Authentication, and by trying to access with a computer that is either not connected to the same Windows domain as the servers running the OutSystems platform, or a computer with intermitent connectivity to said domain.
The NEGOTIATE protocol uses a Kerberos ticket for authentication. This requires that all computers involved (the client computer and the server) be able to communicate with the Windows domain controller. In situations where such communication is not possible (or does not make sense - e.g. external users) the NEGOTIATE protocol cannot be used.
By default, Internet Explorer and Microsoft Edge favor using NEGOTIATE rather than NTLM for Windows Integrated Authentication; which means that an IIS with NEGOTIATE protocol active will cause that misvbehavior.
Other browsers (Chrome, Safari, Firefox) usually don't have NEGOTIATE active, so they will use NTLM by default - which causes authentication to work.
The solution for this is typically to disable the NEGOTIATE protocol in IIS, so that NTLM is always use. In sporadic situations, or to confirm the problem, you may want to disable NEGOTIATE in the client workstation.
Solution: Disable NEGOTIATE protocol in IIS:
- Access IIS Manager;
- Expand <server> Sites Default Web Site;
- In the IIS group, choose Authentication;
- Click Windows Authentication. On the side bar, option Providers shows up; if not, first activate Windows Authentication so it will show up;
- Remove NEGOTIATE provider.
- If you added Windows Authentication on step 4, deactivate it again;
- Do an IISReset
After performing the steps above, authentication should start working in Internet Explorer / Microsoft Edge.
(to confirm the problem) disable NEGOTIATE protocol in the client workstation:
- Open the Registry Editor (start - run - regedit.exe)
- Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
- Locate the registry entry EnableNegotiate
- Change the value to 0
- Restart the client workstation.
After performing the steps above, authentication should start working in Internet Explorer / Microsoft Edge in the client workstation where the change was performed.
If you look into the HTTP communications for the scenario above, when authentication fails you will see an initial response from the server with the headers as shown below:
Internet Explorer / Edge responds with something similar to the below (using Negotiate as protocol):
Which causes the problem (NEGOTIATE will fail in scenarios where communication with the Windows domain controller is not possible).
Applies to all versions of OutSystems Platform running on .NET / IIS.