Strategy user login modes allow both Standard Authentication and NT authentication. Both Standard and NT authentication can work as long as the IIS authentication mode is only configured with "Integrated Windows authentication" but does not allow "Anonymous Access."
If Standard authentication users are external users outside of the network, Anonymous Access must be configured in IIS in order for those external users to login and browse through Web application resources with an IUSR account. However, allowing "Anonymous Access" will disable Strategy NT authentication.
In IIS, once Anonymous Access is configured, any web user will take an IUSR_machine_name account first as designed in IIS, so it will work for Standard Authentication users. However, Strategy NT authentication will fail to login since IIS will not pass the user's NT login ID which comes from the Strategy Login process. In this scenario, the NT authentication user will experience the following error:
Error in login
You cannot login as Windows User. Please ask the Strategy Server Administrator to link this Windows User account to a Strategy Server User or ask them to set the Web Server properly.
Therefore, "Anonymous Access" must be unchecked in IIS for Strategy NT authentication mode.
Note: If both the NT and Standard Authentication user group are under the same domain or do not need to use Anonymous Access in IIS, both NT and Standard authentication mode will work without error.
