Issue: =====For a website hosted on IIS 7, and having Basic and Windows Authentication both enabled we got the prompt for Basic Auth while browsing the site from IE 6. In other words IE 6 was not giving any precedence to Windows Auth over Basic Auth.
WWW-Authenticate: Basic realm="servername"
Now it is important to note here that the issue happened just on IE 6. The behavior has been documented here http://blogs.msdn.com/ie/archive/2006/03/15/552246.aspx, where it says
"Lastly, we've made a change to IE7 to ensure that if the server offers multiple authentication methods, Basic is chosen only if no other authentication methods are provided. In previous releases of IE, IE chose the first authentication method offered by the server"
So as expected we did not get the prompt on IE 7 and IE 8, since they silently used Windows Auth. It was application's requirement to have both authentication modes selected due to the requirement of the website.
While troubleshooting the issue, we found that the ApplicationHost.config file had the two modules for Windows Auth and Basic Auth listed in incorrect order. The order they were in was <add name="WindowsAuthenticationModule" lockItem="true" /> <add name="BasicAuthenticationModule" lockItem="true" /> We reversed the order as follows (Yes, Basic first) to fix the issue. <add name="BasicAuthenticationModule" lockItem="true" /> <add name="WindowsAuthenticationModule" lockItem="true" /> So it is processed as last in first out and sent to browser.