Troubleshooting Windows Authentication Failure in IIS 7.5 When Accessing Locally (Non-Localhost)


2 views

I recently encountered this exact scenario where Windows-integrated authentication worked perfectly for remote users but failed consistently when accessing the same protected directory directly on the server. Here's what I discovered through extensive troubleshooting:

The core issue stems from NTLM authentication's inherent security design. When you're:

  • Accessing the site from the server itself
  • Using the server's actual hostname (not localhost)
  • With Windows authentication enabled

The authentication request essentially makes a "loopback" which Windows security treats differently than remote requests.

Here are three approaches I've successfully implemented:

1. Enable Loopback Check Exemption

Create a registry key to bypass the security check:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001

Remember to restart the server after making this change.

2. Use Hosts File Entry

Add an entry to your hosts file that points the server name to 127.0.0.1:

127.0.0.1    yourservername
::1          yourservername

3. Configure SPN (Service Principal Name)

This is the most secure approach. Run this command as domain admin:

setspn -S HTTP/yourservername yourservername
setspn -S HTTP/yourservername.yourdomain.com yourservername

Before applying fixes, verify the problem using these PowerShell commands:

# Check current authentication providers
Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/windowsAuthentication -Name providers -PSPath IIS:\

# Verify SPN registration
setspn -L yourservername

# Check authentication traffic
netsh trace start scenario=NetConnection capture=yes tracefile=C:\temp\net.etl

Ensure your web.config includes these elements:

<configuration>
  <system.webServer>
    <security>
      <authentication>
        <windowsAuthentication enabled="true">
          <providers>
            <clear />
            <add value="Negotiate" />
            <add value="NTLM" />
          </providers>
        </windowsAuthentication>
        <anonymousAuthentication enabled="false" />
      </authentication>
    </security>
  </system.webServer>
</configuration>

For IIS 7.5 specifically, you might need to disable kernel-mode authentication:

appcmd set config -section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false /commit:apphost

Many IIS administrators encounter this puzzling scenario: Windows Authentication works perfectly when accessing the protected directory from remote machines, but fails when attempting to access the same resources directly on the server using the proper hostname (not localhost). This behavior occurs due to a fundamental Windows security mechanism called the "loopback check security feature."

Windows Server includes a security feature that prevents NTLM authentication requests when:

1. The request originates from the same machine
2. The request uses the machine name or FQDN (not localhost)
3. The authentication protocol is NTLM (even if Kerberos is preferred)

Option 1: Disable Loopback Check (Not Recommended for Production)

For development or testing environments, you can disable this security feature via registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001

Remember to restart the server after making this change.

Option 2: Add Hostname to BackConnectionHostNames (Recommended)

A safer alternative is to modify the BackConnectionHostNames registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"BackConnectionHostNames"=hex(7):6d,00,79,00,73,00,65,00,72,00,76,00,65,00,72,00,\
  2e,00,6d,00,79,00,64,00,6f,00,6d,00,61,00,69,00,6e,00,2e,00,63,00,6f,00,6d,\
  00,00,00,00,00

Replace the hex values with your actual hostname in Unicode format.

Option 3: Use Hosts File Entry (Quick Fix)

Add an entry to the hosts file as a temporary workaround:

127.0.0.1    myserver.mydomain.com
::1          myserver.mydomain.com

Check which protocols are enabled in IIS:

Get-ItemProperty "IIS:\Sites\Default Web Site" -Name ntAuthenticationProviders

To ensure Kerberos is preferred:

Set-ItemProperty "IIS:\Sites\Default Web Site" -Name ntAuthenticationProviders -Value @("Negotiate","Kerberos")

If using Kerberos, verify your SPN configuration:

setspn -L <serviceaccount>
setspn -S HTTP/myserver.mydomain.com <serviceaccount>

This ensures proper Kerberos ticket generation when accessing the site locally.

For Chrome/Edge, add the site to local intranet zones or configure auth settings:

chrome://flags/#allow-cross-origin-auth-prompt

For IE, ensure these settings are configured:

Internet Options > Security > Local Intranet > Sites > Advanced
Internet Options > Advanced > Security > Enable Integrated Windows Authentication

Enable failed request tracing in IIS to capture authentication failures:

<traceFailedRequests>
  <add path="*">
    <traceAreas>
      <add provider="WWW Server" areas="Authentication,Security" verbosity="Verbose" />
    </traceAreas>
    <failureDefinitions statusCodes="401" />
  </add>
</traceFailedRequests>