Why can't I log in to a Windows-protected IIS 7.5 directory on the server?
You are almost certainly running into the Windows loopback check that was introduced with IIS 5.1. This is a security feature to avoid certain types of reflection attacks against the system.
Microsoft has a KB article describing workarounds. They basically boil down to modifying the registry to either disable the loopback check, or to allow certain hostnames (e.g. your local host name or site name) to back-connect.
You can quickly disable the check via PowerShell:
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -Value "1" -PropertyType dword
Below are Microsoft's official instructions. Note that although the below instructions indicate a reboot, I've found that IE usually picks up the change right away.
Method 1: Specify host names (Preferred method if NTLM authentication is desired)
- Set the DisableStrictNameChecking registry entry to 1.
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press
ENTER
. - Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart the
IISAdmin
service.
Method 2: Disable the loopback check (less-recommended method)
- Set the DisableStrictNameChecking registry entry to 1.
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press
ENTER
. - Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
Addendum:
To set the DisableStrictNameChecking registry entry to 1:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
- Right-click Parameters, point to New, and then click DWORD Value.
- Type DisableStrictNameChecking, and then press
ENTER
. - Right-click DisableStrictNameChecking, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.