Windows Authentication Troubleshooting

If you’ve enabled Active Directory Synchronization and have synchronized but your users can’t log in, there are several potential causes, as described below.

Windows Authentication

Windows Authentication may not be enabled in IIS. 

To resolve this:

  1. Open IIS Manager
  2. Expand the left column and click on Default Web Site
  3. Double click on Authentication
  4. Click Windows Authentication
  5. Click Enable

Provider Order (IIS):

 

 1.) Go to Authentication

 2.) Make sure Windows Authentication is enabled.

 3.) Right click, hit providers and change the order to make sure NTLM is at the top. 

 

Unsuccessful Synchronization

 The synchronization may not have been successful and the user may not exist in the Intranet.

To resolve this:

  1. In the Intranet, go to Admin > Security > Find Logins
  2. Search for the username with Disabled Logins checked
  3. Did you find the user? If a user is found, you can correct it.
    • Disable AD Synchronization in Admin > Security > AD Synchronization
    • Find the user with the same username as above
    • Change the username and email address
    • (you may need to enable the user temporarily to complete this)
    • After that’s been saved, ensure the user is disabled and re-enable AD Synchronization
    • Click Sync Now
    • You should now be able to find the correct user.
  4. If the user wasn't found, check to see if any of your users were synchronized.
    • If no user was synchronized, check your AD Sync connection settings are correct and Test Connection is successful.
    • If one or a few weren’t synchronized, ensure they are part of one of the targets selected.
    • If not a part of a target, add another target to bring the additional account(s) in.
    • If part of a target but not synchronized, ensure the user has a first and last name with no additional spaces around the names and there is a valid email address and username specified in AD.

Incorrect Credentials

The credentials supplied may be incorrect.  The Intranet doesn't store the credentials for Windows Authentication; they're passed to the Domain Controller specified in the settings for verification.  Typically, this is following a password reset in AD.

To resolve this, Windows caches credentials, and it’s possible these need to be cleared -see the Microsoft article How to remove saved Windows Authentication.

If that doesn't work to clear the credentials and allow successful login, you may need to complete an additional step from Microsoft, as described in the LsaLookupSids function article.

 

User Profile Domains / Web Location

1.)  Go to admin home > security

2.) Click Search Login

3.) Look up user that is unable to login and make sure the highlighted area is correct

 

1.)  Go to admin home and scroll to the bottom of the page, make sure web location aligns with iis binding:

 

 

Related articles

Powered by Zendesk