I'm building a simple internal application for my company, and it requires Windows Authentication for security. All other authentication modes are disabled. I'm stuck in a situation where internet explorer prompts for credentials 3 times, then fails with this error:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
I then created a bare-bones website to test this out. I created a new site in IIS, put it on its own port (:8111, chosen at random), put one static "default.htm" file in there, disabled anonymous authentication, then enabled windows authentication. Everything else was left at default settings. The port number was assigned because we have multiple sites on this machine all sharing the same IP.
Here are a few scenarios:
Browsing from the web server itself, to http://localhost:8111/ works
fine
Browsing from another computer, to http://ServerIPaddress:8111/
works fine
Browsing from another computer, to http://ServerName:8111/ FAILS
(asks for credentials 3 times, then gives 401 error)
I've been searching online and trying to find a solution with no luck thus far. Either I haven't found it, or I don't understand well enough what I'm reading. Any help would be greatly appreciated.
Just worked out the solution with the help of a coworker after 2 days of fighting with this issue. Here is what he wrote:
There are 2 providers for Windows Authentication (Negotiate and NTLM).
When setting the Website Authentication to Windows Authentication,
while Windows Authentication is highlighted, click on the Providers
link on the right pane or IIS Manager and move NTLM to the top. By
default Negotiate is on top which is why you are getting an
authentication prompt.
Error 401.1 when you browse a Web site that uses Integrated Authentication.
Solution
Disable the loopback check
* In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
* Right-click Lsa, point to New, and then click DWORD Value.
* Type DisableLoopbackCheck, and then press ENTER.
* Right-click DisableLoopbackCheck, and then click Modify.
* In the Value data box, type 1, and then click OK.
http://support.microsoft.com/kb/896861
If it still does not work after moving NTML to top in the list of providers try to remove Negotiate completely so there is only NTML left.
That fixed it for me - moving NTML to top did not help on Windows Server 2012 and IIS 8.5. I found the solution in the following stackoverflow issue: IIS 7.5 Windows Authentication Not Working in Chrome
I personally recommend NOT disabling the loopbackcheck globally on your server (IE: Do NOT set DisableLoopbackCheck to a value of 1 in your registry). This is a security vulnerability. Please only disable for known hosts.
Here's a Powershell function to get you pointed in the right direction.
function Add-LoopbackFix
{
param(
[parameter(Mandatory=$true,position=0)] [string] $siteHostName
)
$ErrorActionPreference = "Stop"
Write-Host "Adding loopback fix for $siteHostName" -NoNewLine
$str = Get-ItemProperty -Name "BackConnectionHostNames" -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -erroraction silentlycontinue
if ($str) {
if($($str.BackConnectionHostNames) -like "*$siteHostName*")
{
Write-Host "`tAlready in place" -f Cyan
} else{
$str.BackConnectionHostNames += "`n$siteHostName"
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "BackConnectionHostNames" -Value $str.BackConnectionHostNames
Write-Host "`tDone" -f Green
}
} else {
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "BackConnectionHostNames" -Value $siteHostName -PropertyType "MultiString"
Write-Host "`tDone" -f Green
}
Write-Host "`tnote: we are not disabling the loopback check all together, we are simply adding $siteHostName to an allowed list." -f DarkGray
}
> Add-LoopbackFix "ServerName"
Source
It's been a while since this question was asked, but I know numerous people run into it a lot. A more proper fix for this is described here: Kernel-mode authentication. We implemented this several months back, and it works fine.
Another good explanation here: MORE 2008 AND KERBEROS: AUTHENTICATION DENIED, APP POOL ACCOUNT BEING INGNORED
To apply to a single site:
cd %windir%\system32\inetsrv
set SiteName=TheSiteName
appcmd.exe set config "%SiteName%" -section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:"True" /useAppPoolCredentials:"True" /commit:apphost
Or to apply to all sites:
%windir%\system32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 聊天终结者 的文章《Windows authentication failing in IIS 7.5》','https://www.manongdao.com/article-204667.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}