Windows Authentication not working in IIS after adding Bindings.

Question

Windows Authentication not working in IIS after adding Bindings.

Inderpal Singh 1

I have a working website on current server that is in same domain where users are.
eg: serverName01.abc.com and website is website1.abc.com

now we are migrating the website to a new server this server is part of another domain but there is trust enabled b/w domains.

servername02.xyz.com and website name also will change to website2.xyz.com

the users are all still in abc\user1

Website is using windows authentication which works fine if I browse the website as http://localhost:80 (or some other port as well)

when I add website name as binding windows authentications stops.

I tried some solutions which require creating a multi-string value key named BackConnectionHostNames in regedit.
if i put in the website name it started working.... but stoped after a while (next day)... i again deleted and re created that key in regedit which again worked but stopped after a while.

is there a permanent solution to this please help.

Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff

2020-11-27T03:01:35.857+00:00

@Inderpal Singh Please check whether anonymous authentication is enabled in the Authentication, If both anonymous and windows authentication is enabled in IIS, and if we don't have a deny entry or anonymous in the web config then the resources on the web server are accessed using anonymous authentication.
Inderpal Singh 1 Reputation point

2020-12-10T14:52:17.503+00:00

@Sam Wu-MSFT Sorry for being so late.... Only Windows Authentication is on with providers as Negotiate and NTLM..

Authentication works on localhost:90 (randomly used port 90 as default website takes port 80)
but when I add URL binding to website it keeps asking me for Credentials and fails after 3 attempts.

seems like some issue with cross domain authentication. I am not an expert in AD I have a little knowledge... but that dosent seems to be enough for solving this.

I have been stuck on this issue for a long time now, Any and all help will be highly appreciated.
MotoX80 36,291 Reputation points

2020-12-10T14:59:24.177+00:00

Look for logon failures in the Security eventlog. Look in the IIS logs for 401 entries when a user tries to connect. What do they show?

Change the site to use basic authentication and try to log in with Domain\Userid account. What error do you get with that?

Is the worker process set to run as as ApplicationPoolIdentity or are you using another account?

Is the url that the user browsing fully qualified? Ie; http://website.domain.com
Inderpal Singh 1 Reputation point

2020-12-10T15:36:22.153+00:00

I Disabled the windows authentication and enabled Basic authentication and the application is working now.

I will monitor for few more days and let you guys know if this solved the issue permanently.

Yes, the URL is a FQDN,

Thank you for the help.
Scott Willis 11 Reputation points

2022-10-31T19:34:52.887+00:00

Hi There - did you ever resolve this. I am having the exact same issues.
Thanks

2 answers

Your answer

Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff

2020-11-27T03:01:35.857+00:00

@Inderpal Singh Please check whether anonymous authentication is enabled in the Authentication, If both anonymous and windows authentication is enabled in IIS, and if we don't have a deny entry or anonymous in the web config then the resources on the web server are accessed using anonymous authentication.
Inderpal Singh 1 Reputation point

2020-12-10T14:52:17.503+00:00

@Sam Wu-MSFT Sorry for being so late.... Only Windows Authentication is on with providers as Negotiate and NTLM..

Authentication works on localhost:90 (randomly used port 90 as default website takes port 80)
but when I add URL binding to website it keeps asking me for Credentials and fails after 3 attempts.

seems like some issue with cross domain authentication. I am not an expert in AD I have a little knowledge... but that dosent seems to be enough for solving this.

I have been stuck on this issue for a long time now, Any and all help will be highly appreciated.
MotoX80 36,291 Reputation points

2020-12-10T14:59:24.177+00:00

Look for logon failures in the Security eventlog. Look in the IIS logs for 401 entries when a user tries to connect. What do they show?

Change the site to use basic authentication and try to log in with Domain\Userid account. What error do you get with that?

Is the worker process set to run as as ApplicationPoolIdentity or are you using another account?

Is the url that the user browsing fully qualified? Ie; http://website.domain.com
Inderpal Singh 1 Reputation point

2020-12-10T15:36:22.153+00:00

I Disabled the windows authentication and enabled Basic authentication and the application is working now.

I will monitor for few more days and let you guys know if this solved the issue permanently.

Yes, the URL is a FQDN,

Thank you for the help.
Scott Willis 11 Reputation points

2022-10-31T19:34:52.887+00:00

Hi There - did you ever resolve this. I am having the exact same issues.
Thanks

Answer 1

I was able to resolve this by adding BackConnectionHostNames

Method 1: Disable the loopback check

Follow these steps:

Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.

Method 2: Specify host names

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.

Full reference : https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/896861

chicinho 0 Reputation points

2025-04-11T09:06:17.9366667+00:00

Thank you so much for sharing this post. I have lost several hours and I have tried everything. the only thing which worked was these registry settings. again thank you soooo much

Answer 2

JoyDutt 831

When you were trying on http://localhost - it was working as it was using the local admin credentials and you were logged in with admin rights.
Moving away from windows authentication and using basic authentication should help and resolve this. Ideally, later you may give a thought on security part.

Share via

Windows Authentication not working in IIS after adding Bindings.

2 answers

Your answer