Windows Authentication not working on local IIS 7.5. Error 401.1

PeteWiFi picture PeteWiFi · Jul 4, 2013 · Viewed 32.6k times · Source

I recently had a nasty issue getting Windows Authentication to work on a local instance of IIS 7.5 (Windows 7 Pro) to an ASP.net 4.0 site. I followed the basic steps.

IIS Authentication

  • Disable Anonymous Authentication
  • Enable Windows Authentication

Edit web.config

<authentication mode="Windows" />

This did a nice job of enabling Windows Authentication but every attempt to login was rejected and ultimately returned a 401.1 error. This is where the problem started. There appear to be many reasons for this that are well documented around the web including here on Stack Overflow.

I'd tried:

  • Editing IIS Authentication 'Advanced settings' for Windows Authentication to disable Extended Protection and Kernel-mode authentication
  • Editing IIS Authentication 'Providers' to move NTLM above Negotiate.
  • Editing IIS .NET Authorization Rules to explicity Allow users (and various other combinations).
  • Various IIS command line scripts and tweaks.
  • Various config tweaks in web.config file.
  • Even some file system permissions tweaks.

But all to no avail, the dreaded 401.1 remained.

This really is a case of "can't see the wood for the trees". None of the solutions I managed to find (call it a case of bad search parameters if you will) worked for me so I thought it worth posting this question to, hopefully, provide a clear answer that's easier to find for anyone suffering the same issue.

Answer

PeteWiFi picture PeteWiFi · Jul 4, 2013

The issue here is that modern versions of Windows (Windows XP SP2, Windows Server 2003 SP1 and up) include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

This can be resolved by either explicitly specifying host names or by disabling the loopback check. Obviously the former being the more controlled approach.

  1. Set the DisableStrictNameChecking registry entry to 1. See: 281308 (Note: This should be unnecessary for Windows Server 2008/Vista and later)
  2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. Type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  7. Quit Registry Editor, and then restart the IISAdmin service.

Full details of how do to this can be found on MSDN: 896861

Hope this helps someone out. If you have any alternate suggestions or improvements please add.