Rick Strahl's Weblog
Rick Strahl's FoxPro and Web Connection Weblog
White Papers | Products | Message Board | News |

IIS Server Authentication and Loopback Restrictions


June 14, 2018 •

Here's a common problem I hear from user installing Web Connection and trying to test their servers from the same live server machine:

When logged into your Windows server, IIS Windows authentication through a browser does not work for either Windows Auth or Basic Auth using Windows user accounts. Login attempts just fail with a 401 error.

However, accessing the same site externally and logging in works just fine, using Windows log on credentials. It only fails when on the local machine.

Loopback Protection on Windows Server

In the past these issues only affected servers, but today I just noticed that on my local Windows install with Windows 10 1803 I also wasn't able to log in with Windows Authentication locally. As if it isn't hard enough to figure out which user id you need on Windows between live account and local account, I simply was unable to log in with any bloody credentials.

Servers have always had this 'feature' enabled by default to prevent local access attacks on the server (not quite sure what this prevents since you have to log in anyway, but whatever).

When attempting to authenticate on a local Web site using a Windows account using username and password always fails when this policy is enabled. For Web Connection this specifically affects the admin pages that rely on Windows authentication for access.

This problem is caused by a policy called Loopback Protection that is enabled on server OSs by default. Loopback Protection disables authenticating against local Windows accounts through HTTP and a Web browser.

For more info please see this Microsoft KB entry:
https://support.microsoft.com/en-us/kb/896861

Quick Fix: Disable Loopback Check

The work around is a registry hack that disables this policy explicitly.

Starting with Web Connection 6.21 and later you can run the following using the Console running as an Administrator:

c:\> console.exe disableloopbackcheck

To reverse the setting:

c:\> console.exe disableloopbackcheck off

To perform this configuration manually find this key in the registry on the server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

and edit or add a new key:

DisableLoopbackCheck (DWORD)

then sent the value to 1 to disable the loopback check (local authentication works), or to 0 (local authentication is not allowed).

Summary

Web Connection 6.21 isn't here yet as of the time of writing of this post, but in the meantime you can just use the registry hack to work around the issue.

Posted in: Web Connection    Security

Feedback for this Weblog Entry