Windows authentication to IIS on local server with fully qualified url
I was trying to do the same thing. Access a web site on the local IIS using a FQDN and kept getting told where to go by IIS.
Anyways, from my digging, you have to disable the loopback check for local IIS websites.
See the following Microsoft support page.
In the event the page goes missing, the I did the following (which is what he recommends in the above blog post)
- Open up the registry editor by typing regedit under Run.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0 and click New and choose to make it a Multi-String Value.
- Enter BackConnectionHostNames as name for the entry, and double-click it to modify it.
- Type the hostnames you need to use (code-journey.com for instance).
- Restart IISAdmin Service (“Start” -> “Administrative Tools” -> “Services”)
Hope this helps.
cmb..
This is due to a security feature known as LoopbackCheck.
Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
http://support.microsoft.com/kb/926642
There are two resolutions:
Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request. To do this, follow these steps for all the nodes on the client computer:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- In the Name column, type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
-
In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
Note: Type each host name on a separate line.
Note: If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.
Exit Registry Editor, and then restart the computer.
Method 2: Disable the authentication loopback check by setting the DisableLoopbackCheck registry entry in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor.
- Restart the computer.
I can tell you, based on some experience setting up SSO, that IE will automatically pass a kerberos ticket for logon only if the site and client are on the intranet together, or if the site is in the trusted zone. If IE sees http://site.company.com/webservice it will assume that the site is on the internet and will not pass credentials for logon.
There's some useful information at this link regarding IIS, IE, and Kerberos. http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx
Two things we found that work for allowing the FQDN on the intranet is providing the web server with a certificate and using SSL, or adding it to the Trusted Zone.
Hope this helps in relation to your setup.