Search code examples
asp.netasp.net-mvciisactive-directorywindows-authentication

Windows Authentication works in IISExpress but not in IIS

I am having an odd issue. I am using the newest MVC5 in Visual Studio 2013. I am trying to create a site that hosts an anonymous API as well as an Admin dashboard that requires intranet domain credentials through Windows Authentication. Everything works when running through IIS Express like I expect but not when hosted in real IIS.

When hosted in real IIS it gives me a logon box like I expect for the Admin portion but it doesn't take my logon and keeps prompting me. I know it is the right username and password for sure. Any idea why this is happening?

I have Windows Authentication installed in Windows Features and turned on in IIS for the site and all that.

Below is my setup..

[Authorize]
public class DashboardController : Controller

<add key="EnableSimpleMembership" value="false" />

<authentication mode="Windows"/>
<authorization>
   <allow users="?" />
</authorization>
</system.web>
  <location path="gsapi">
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="true"/>
          <windowsAuthentication enabled="true"/>
        </authentication>
      </security>
    </system.webServer>
  </location>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />

enter image description here

Solution

  • There is a security feature that tries to intercept reflection attacks on your server. These attacks are basically a "man in the middle" attack where the attacker performs a challenge-response protocol to the two participating systems that are attempting to authenticate.

    When your server is using hostnames mapped to the loopback address, the security feature that is trying to protect you against these attacks is not able to tell legitimate requests from fraudulent ones. The symptom is that all challenge response attempts will fail.

    Your choices are to specify host names in your registry or to disable the loopback check (not recommended).

    The KB article that was linked in the comments gives specific instructions on what changes to make to work around this problem: http://support.microsoft.com/kb/896861

    -- EDIT 8/31/2022 --

    The original MSKB URL has expired by now, but fortunately, it was archived before that happened:

    https://web.archive.org/web/20140212102642/http://support.microsoft.com/kb/896861

    It reads:

    You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

    There are two methods to work around this issue, use one of the following methods, as appropriate for your situation.

    Method 1: Specify host names (Preferred method if NTLM authentication is desired)

    To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

    1. Set the DisableStrictNameChecking registry entry to 1.

      • For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name

    2. Click Start, click Run, type regedit, and then click OK.

    3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

    4. Right-click MSV1_0, point to New, and then click Multi-String Value.

    5. Type BackConnectionHostNames, and then press ENTER.

    6. Right-click BackConnectionHostNames, and then click Modify.

    7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

    8. Quit Registry Editor, and then restart the IISAdmin service.

    Method 2: Disable the loopback check (less-recommended method)

    The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.

    To set the DisableLoopbackCheck registry key, follow these steps:

    1. Set the DisableStrictNameChecking registry entry to 1.

      • For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name

    2. Click Start, click Run, type regedit, and then click OK.

    3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    4. Right-click Lsa, point to New, and then click DWORD Value.

    5. Type DisableLoopbackCheck, and then press ENTER.

    6. Right-click DisableLoopbackCheck, and then click Modify.

    7. In the Value data box, type 1, and then click OK.

    8. Quit Registry Editor, and then restart your computer.