Asp.net-mvc – Unable to get windows authentication to work through local IIS

asp.net-mvchttp-status-code-401iisntlmwindows-authentication

So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).

If I fire up the web app using the VS webserver, it all looks fine – the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).

Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.

I have set up IE and FF to enable Windows auth as follows:

IE

  1. Add URL to intranet group
  2. Ensure Windows auth is enabled in the advanced settings

FF

Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.

But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.

We don't have active directory here but my understanding is that it should work fine with a local account.

I can't think of anything else I need to do. Any suggestions?

Edit: we've recently switched to using Active Directory and the problem remains.

Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:

HTTP Error 401.2 – Unauthorized
You are not authorized to view this page due to invalid authentication headers.**

Best Answer

You have to whitelist a domain specified in the hosts file in order for windows authentication to work:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.
  4. Type DisableStrictNameChecking and press ENTER.
  5. Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
  6. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  7. Right-click MSV1_0, point to New, and then click Multi-String Value.
  8. Type BackConnectionHostNames, and then press ENTER.
  9. Right-click BackConnectionHostNames, and then click Modify.
  10. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  11. Quit Registry Editor, and then restart the IISAdmin service.

NOTE: The original Microsoft KB links on this answer were broken and have been removed. This article provided the instructions for setting DisableStrictNameChecking.