When you log on to Password Manager, you may be prompted for your user name and password multiple times, even if you enter the correct user name and password. This problem shows up with certain configurations of Internet Information Services 6.0.
Procedure of Kerberos authentication cannot be performed in certain scenarios
During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. In some cases, Kerberos authentication may fail with IIS returning an HTTP error 401.1, error 401.2, or error 401.3, for example:
* When Web sites have been isolated on a virtual directory level by configuring worker process identities as different domain accounts.
* When Integrated Windows authentication is used, and neither a WINS name nor a DNS name are used for the server running IIS, and you want to use a local user account or the Local Service account as a worker process identity. It fails because Active Directory does not trust these accounts.
* If the host header (Web site name) being requested differs from the NetBIOS name of the IIS computer.
If you are using Kerberos:
Use SetSPN.exe utility from the Windows 2000 Resource Kit to register Server Principle Name (SPN) of the Internet Information Services (IIS) Web server:
SetSPN -A HOST/www.domain.com qpm_service_account_name
In this sample command, www.domain.com <http://www.domain.com/> is the web server name and qpm_service_account_name is the name of the Password Manager service account. Use sAMAccountName or domain\sAMAccountName as the qpm_service_account_name parameter.
If you are not using Kerberos:
Remove Kerberos from the list of authentication providers in Internet Information Services 5.0 by using the following command:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders NTLM
Adsutil.vbs must be run by a member of the local Admins group on the Internet Information Services computer.
For more details see the following Microsoft articles:
TechNet article Forcing NTLM Authentication (IIS 6.0):
Microsoft Knowledge Base article 294382 Authentication may fail with 401.3 Error if Web sites Host Header differs from servers NetBIOS name:http://support.microsoft.com/kb/294382/
Microsoft Knowledge Base article 326985 HOW TO: Troubleshoot Kerberos-Related Issues in IIS:http://support.microsoft.com/kb/326985/
If Password Manager is installed on a Domain Controller, and the above command for SetSPN did not resolve the issue, complete the following:
1. Open IIS Manager
2. Locate the QPM Virtual Directory under Default Web Sites
3. Expand the Virtual Directory, and select the Admin Directory
4. Right- click and select Properties | Directory Security tab | Authentication and Access Control
5. Select Digest Authentication for Windows Domain Servers
Implementing Kerberos with IIS7.
In IIS 7 the registration of the SPN is not required, unless using a custom host header for the site, in which case the SPN would need to be set against the SERVER, not the service account.
See link below for additional information: