Windows Auth in IIS does not work when browsing to the website on the server running IIS using a URL with an A record pointing to the IIS server

Question

I have a website that runs on IIS that uses windows authentication.

On the website level, under 'Authentication' I have only Windows Authentication (NTLM only as a provider) enabled.

On the virtual directory level, under 'Authentication', I have ASP.NET Impersonation and Windows Authentication (NTLM only as a provider) enabled. (Disabling ASP.NET Authentication here does not change anything)

The IP address of the server running IIS is: 172.0.0.10
The computer name of the server running IIS is: myiisserver
The FQDN on the server running IIS is: myiisserver.mydomain.com
A DNS 'A Record' exists to point 172.0.0.10: myapp.mydomain.com

On the website bindings, I have:

Type  |  IP Address      |  Port  |  Host Name
--------------------------------------------------------------
http  |  All Unassigned  |  80    |  localhost
http  |  All Unassigned  |  80    |  myiisserver
http  |  All Unassigned  |  80    |  myiisserver.mydomain.com
http  |  All Unassigned  |  80    |  myapp.mydomain.com

This is the only website that I have running on the IIS server.

The App Pool running the web site and the virtual directory is the same and uses 'NetworkService' as the identity.

On the IIS server and on other workstations in the network:

myiisserver is added to 'Trusted Sites'
myiisserver.mydomain.com is added to 'Trusted Sites'
myapp.mydomain.com is added to 'Trusted Sites'

On the trusted sites zone, Automatic logon using current user name and password is selected on the IIS server and other workstations.

On Internet Options -> Advanced, Enable Integration Windows Authentication was enabled on the IIS server and other workstations.

On other workstations in the network:

http://myiisserver works OK
http://myiisserver.mydomain.com works OK
http://myapp.mydomain.com works OK

On IIS server:

http://localhost works OK
http://myiisserver works OK
http://myiisserver.mydomain.com works OK
http://myapp.mydomain.com works DOES NOT WORK - Prompts for User name and password - Entering a user name and password that has access to the resources does not work and it continues to prompt for user name and password. Any suggestions to get this to work on the IIS server?

So that I make sure I understand the problem - `http://myapp.mydomain.com` is working for all/most workstations, except for one? — mfinni, Sep 16 '15 at 13:26
It works on all workstations except for the server running IIS. I've seen this happen in multiple customer environments. Want to know how we can make it work on the server running IIS as well. Thanks for your help! — slayernoah, Sep 17 '15 at 03:15
This is going to sound crazy, but when you ping http://myapp.mydomain.com, it responds how you expect? That is, 127.0.0.1? — jski, Sep 24 '15 at 23:00
Yup it did reposed I believe. That may have been because of the hosts file entry I had pointing that to 127.0.0.1. However even with that, IIS could not authenticate with ntlm when the request was coming from the IIS server to using that url. — slayernoah, Sep 25 '15 at 01:07
The current [post](https://serverfault.com/questions/722722/windows-auth-in-iis-does-not-work-when-browsing-to-the-website-on-the-server-run) has a very inclusive title while this [post](https://serverfault.com/questions/485006/why-cant-i-log-in-to-a-windows-protected-iis-7-5-directory-on-the-server) has a more generic, however both are suggesting the same solution, plus one more in the latter. — mchar, Jan 05 '21 at 13:46

score 5 · Accepted Answer · answered Sep 24 '15 at 22:22

Updating the registry key below on the server running IIS fixed the issue!

In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the site(s) that are on the local computer (i.e. myapp.mydomain.com), and then click OK.

Oh this solved my problem thank you – User2012384 Jun 09 '20 at 03:40 — User2012384, Jun 09 '20 at 03:40

score 0 · Answer 2 · edited May 18 '21 at 11:45

0

slayernoah's solution is working perfectly fine, but I want to add that above solution will work even if site is being browsed over Internet not just Intranet. Plus I didn't do any steps other than

Enable Windows Integrated Authentication on IIS website.
Add registry key and added Each Cname / Host on separate Line

This fixed and saved lot of time

edited May 18 '21 at 11:45

Andrew Schulman

8,561
21
31
47

answered May 15 '21 at 19:28

Naveed Zafar

1

Windows Auth in IIS does not work when browsing to the website on the server running IIS using a URL with an A record pointing to the IIS server

2 Answers2