It turns out that is your application pool is running under any other user besides “Network Service”, authenticating the user doesn’t work. The user will keep getting prompted with a login prompt regardless of whether correct credentials are supplied or not. At this point we downloaded and installed AuthDiag to
get a better idea what was going on. AuthDiag is a pretty slick tool that lets you troubleshoot authentication problems in IIS. It’s a definite must-have in any developer/infrastucture bod’s arsenal. AuthDiag came back with:

Service principal name (SPN) for user ‘<user>’ not found in Active Directory

which was the first time I’ve ever heard of an SPN. The reported user above was the user that the Application Pool was running under. (We had previously tried to make the AppPool user a Domain Admin and a Local Admin, but were still failing authentication.)

Anyway, some research on SPNs led to a couple of interesting articles:

• HOWTO: Troubleshoot Kerberos-Related Issues in IIS
• Service Logons Fail Due to Incorrectly Set SPNs
• Troubleshooting Kerberos Delegation

Turns out that an SPN is a unique identifier required for any service that makes use of Kerberos. The SPN is assigned to the account under which the service the SPN identifies is running. The problem is caused by the fact that IIS creates SPNs for itself on installation, but these only work for “Network Service” and “Local System”. In the end we had to create our own SPNs using the setspn command-line tool (under Support Tools)

Turns out there’s a KB Article that talks about this problem and it’s resolution (and a workaround -> turn off Kerberos): You receive an “HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials”
error message when you try to access a Web site that is part of an IIS 6.0 application pool