Recently I deployed a WCF service using NTLM transport authentication.

An issue arose when calling the service from a remote server where Kerberos authentication was not working correctly.

 After contacting the infrastructure team, I was informed to use NTLM and not Kerberos as the authentication provider.

By default, IIS uses Kerberos and NTLM for network authentication.  It will choose to use Kerberos if the client is thought to support Kerberos as in this case.  To force IIS to use NTLM only is relatively simple.

First, open IIS to determine the website identify.  This can be done by navigating to the Websites folder:

The adsutil.vbs admin script can be used to set the authentication provider.  The screenshot below illustrates:

Also, different virtual folders can have different NTAuthenticationProviders settings.  For example, if the virtual folder “HelloWorld” was to be modified only, the command would be:

C:\>cscript c:\inetpub\adminscripts\adsutil.vbs //nologo SET "W3SVC/1/Root/HelloWorld/NTAuthenticationProviders" "NTLM"

Notes:

Related Knowledge Base: http://support.microsoft.com/kb/215383