Basic Auth may take precedence over Win Auth on IE 6 for a website hosted on IIS 7

For a website hosted on IIS 7, and having Basic and Windows Authentication both enabled we got the prompt for Basic Auth while browsing the site from IE 6. In other words IE 6 was not giving any precedence to Windows Auth over Basic Auth. 


We took some fiddler traces and noticed that the Basic auth was returned as the first in the list of authentication headers sent by the IIS 7 server like below.

WWW-Authenticate: Basic realm="servername"

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Now it is important to note here that the issue happened just on IE 6. The behavior has been documented here, where it says

"Lastly, we've made a change to IE7 to ensure that if the server offers multiple authentication methods, Basic is chosen only if no other authentication methods are provided. In previous releases of IE, IE chose the first authentication method offered by the server"

So as expected we did not get the prompt on IE 7 and IE 8, since they silently used Windows Auth. It was application's requirement to have both authentication modes selected due to the requirement of the website.

While troubleshooting the issue, we found that the ApplicationHost.config file had the two modules for Windows Auth and Basic Auth listed in incorrect order.

The order they were in was

<add name="WindowsAuthenticationModule" lockItem="true" />
<add name="BasicAuthenticationModule" lockItem="true" />

We reversed the order as follows (Yes, Basic first) to fix the issue.

<add name="BasicAuthenticationModule" lockItem="true" />
<add name="WindowsAuthenticationModule" lockItem="true" />

So it is processed as last in first out and sent to browser.