Today I came across an interesting issue that had me pulling my hair out (well it would have if I had any). I was troubleshooting a new internal web site which uses integrated security instead of anonymous. When browsing the site from my laptop, I was able to access it with no issues. But if I tried to hit it within a browser on the server or browsed directly from IIS, I encountered a login prompt that I couldn’t get past. Even with my domain admin credentials I could not get past the login prompt, and after three attempts I was met with a 401.1 which IIS told me was due to invalid credentials. But if my credentials were really invalid, why would it work just fine from my laptop with those same credentials?
After looking in the event logs, I found multiple entries for event ID 537 in the security log. Notice the odd characters listed for the Logon Process.
After doing quite a bit of digging through Google, I finally came across this article which explains that this behavior is actually caused by a security feature that was introduced with SP1 for Windows Server 2003. The cause of the errors is a loopback security check that was introduced in order to prevent reflection attacks. With this loopback check in place, you will be unable to authenticate to any site using windows authentication locally from the server.
Moving forward you have a couple of different options. You could perform all testing from somewhere other than the server so that you’ll never run into this issue. Personally, I like to be able to test my web sites directly from the server for various reasons which make the troubleshooting process a little easier in my opinion (detailed error messages, debugging, etc). In our environment, we never use Windows Authentication anywhere but our internal network which is well protected from outside users attempting to perform malicious attacks. Therefore I decided to just disable this security feature for the particular server I was troubleshooting this on. To do that, make the following changes to the registry and reboot the server to put them into effect.
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
That’s all there is to it. You’ll now be able to browse sites using integrated security directly from the server any time you need to.