Home
%3CLINGO-SUB%20id%3D%22lingo-sub-287868%22%20slang%3D%22en-US%22%3EHow%20to%20remove%20NEGOTIATE%20from%20IIS%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287868%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Mar%2026%2C%202018%20%3C%2FSTRONG%3E%3CBR%20%2F%3EI%20was%20assisting%20a%20customer%20just%20the%20other%20day%20who%20was%20having%20a%20dejavu%20of%20removing%20Negotiate%20from%20IIS%20Windows%20Authentication.%20After%20clicking%20the%20%22Remove%22%20button%2C%20if%20he%20restarted%20the%20machine%2C%20the%20Negotiate%20would%20reappear!%20%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20because%20the%20setting%20is%20by%20default%20locked.%20You%20need%20to%20do%20from%20the%20IIS%20Configuration%20Editor.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Here%20is%20how%20to%20do%20it%3A%20%3CBR%20%2F%3E%3CP%3EOpen%20IIS%20Manager%20(just%20type%20inetmgr.exe%20on%20your%20Start---%26gt%3BRun)%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ESelect%20%22Configuration%20Editor%22%20under%20management%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2018%2F03%2Ffour.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60060iD54657750EDE5363%22%20%2F%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EChange%20the%20Section%20to%3CCODE%3E%0A%20%20%20%20system.webServer%2Fsecurity%2Fauthentication%2FwindowsAuthentication%0A%20%20%20%3C%2FCODE%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60061i05414ADB04887751%22%20%2F%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Click%20on%20the%0A%20%20%20%3CCODE%3E%0A%20%20%20%20providers%0A%20%20%20%3C%2FCODE%3E%0A%20%20%20item%2C%20and%20then%20click%0A%20%20%20%3CCODE%3E%0A%20%20%20%20Edit%20Items%0A%20%20%20%3C%2FCODE%3E%0A%20%20%20on%20the%20right.%20Select%20the%20%22Negotiate%22%20item%20and%20click%20%22Remove%22%3A%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60062i8CF6B7FD49D75EA1%22%20%2F%3E%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CP%3E%0A%20%20%20Click%20Apply%0A%20%20%3C%2FP%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20%3CBR%20%2F%3E%0A%20%20Alternately%2C%20you%20can%20do%20it%20from%20the%20command%20line%20as%20follows%3A%0A%20%20%3CBR%20%2F%3E%0A%20%20appcmd.exe%20set%20config%20%22Virtual%2Fpath%2Fto%2Fapplication%22%20-section%3Asystem.webServer%2Fsecurity%2Fauthentication%2FwindowsAuthentication%20%2F-%22providers.%5Bvalue%3D'Negotiate'%5D%22%20%2Fcommit%3Aapphost%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-287868%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Mar%2026%2C%202018%20I%20was%20assisting%20a%20customer%20just%20the%20other%20day%20who%20was%20having%20a%20dejavu%20of%20removing%20Negotiate%20from%20IIS%20Windows%20Authentication.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287868%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eiis%20authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ekerberos%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enegotiate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eturn%20off%20negotiate%20keberos%20ntlm%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
First published on MSDN on Mar 26, 2018
I was assisting a customer just the other day who was having a dejavu of removing Negotiate from IIS Windows Authentication. After clicking the "Remove" button, if he restarted the machine, the Negotiate would reappear!

This is because the setting is by default locked. You need to do from the IIS Configuration Editor.

Here is how to do it:

Open IIS Manager (just type inetmgr.exe on your Start--->Run)


Select "Configuration Editor" under management



Change the Section to system.webServer/security/authentication/windowsAuthentication



Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":



Click Apply




Alternately, you can do it from the command line as follows:
appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost