Search code examples
iiswindows-authentication

IIS, new site binding rejects Windows credentials

I have a web application in IIS that needs to authenticate the user using Windows Authentication. This normally works fine, but when I attempt to introduce a new site binding, the authentication stops working.

The application currently runs on the local dev clients, but the site binding is based on a certificate with an "Issued to" name that matches the local computer name. Applications running under this site that require Windows authentication run fine.

*:8445 (https) - binding certificate: devclientXXX.domain.com

For various reasons we want to replace that binding with an alias common to all dev clients, i.e. dev-localhost. So I get a new certificate and set up a new binding, so we have these:

*:8445 (https) - binding certificate: devclientXXX.domain.com

*:443 (https) - binding certificate: dev-localhost

The new site binding allows me to browse resources available with Anonymous Authentication.

However, when attempting to browse Windows Authentication resources, my credentials are rejected: In Chrome I get prompted repeatedly to enter my credentials without these being accepted.

Meanwhile, browsing using the original binding works just as before with my Windows credentials accepted without any prompt to enter them anew.

As far as I can tell, the two bindings only differ in the selected certificate.

Does anyone have any suggestion as to what might be the cause of this problem?

-S

Solution

  • I refined my google queries and found this:

    https://serverfault.com/questions/722722/windows-auth-in-iis-does-not-work-when-browsing-to-the-website-on-the-server-run

    This prompted me to modify the registry to add the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

(Multi-String Value) BackConnectionHostNames = dev-localhost

    This actually solved my problem!

    Edit: Here's a PowerShell snippet for doing exactly that.

    $hostName = "dev-localhost"

$value = (Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0").BackConnectionHostNames

if (-not($value | ? { $_ -eq $hostName }))
{
    $value += $hostName

    $item = New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "BackConnectionHostNames" -Value $value -PropertyType MultiString -Force
}