Duet client unable to connect to the Read Service via NTLM, but works with Basic Authentication

We had an issue where a Duet Client would fail to authenticate to the Duet Read Service with NTLM, but it would work if we enabled Basic Authentication.  In looking at the IIS logs, we could clearly see the 401 error.  However, the error code in the logs did not lead to a clear explanation if what is wrong.  In looking more closely with a Network Monitor trace, we could see the packet exchanges between the client and the server,  and we could see the client send the NTLM authentication as expected.  We did some checking around but did not find a setting that looked incorrect.  To further diagnose this problem we used the Authentication and Access Diagnostics toolkit.  The toolkit quickly identified the problem.  Here is a screen shot:

 

 

From this output you can see that if the “AllowKeepAlive” is set to false on the virtual directory, this will cause NTLM to fail.  This setting is required for NTLM to work properly.  To change this back, modify this setting in the Internet Information (IIS) Manager:

 

If you are a command line person, you can use the following command to set the property also:

 cscript adsutil.vbs set w3svc/2/AllowKeepAlive true

The “2” above is the number of the website.  Make sure you pick the correct site in IIS before running that command.

 

Once this is changed, NTLM connections should work properly, and the Duet client should once again connect properly.