Solving single sign-on with Windows Authentication in IIS

To make Windows Authentication and single sign-on work locally on your development machine you need to follow a few steps.

Step 1 – Windows Authentication

The first step is to disable all other Authentication methods in IIS, and only enable Windows Authentication. This will prompt you to authenticate yourself but if you try to login you will notice that it only works if you have an “intranet domain”. That is a domain that doesn’t have any periods in it. If your domain is e.g. “myproject.local” you will be declined to login, even if you enter the correct details (step 2 will solve this).

Step 2 – Loopback check

The reason domains with periods doesn’t work is because Windows has a loopback security check that is suppose to prevent “reflection attacks”.

There are two ways you can disable this loopback check. Either disable it altogether or add your domain to a whitelist. The latter being the safe option of course, but could get tiresome if you work with a lot of intranet (and you will probably forget this to next time). For a development machine I therefore recommend disabling it altogether, with the instructions below.

  1. Open Registry Editor (regedit) and navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Add a new DWORD value: "DisableLoopbackCheck" and set it to "1"
  3. You may need to restart your computer.

Step 3 – Single sign-on

By this time you should be able to login to your site and the only part you are missing is single sign-on. This is easily fixed by going into Internet Options (e.g. through Internet Explorer).

  1. Click the Security tab.
  2. Choose Local intranet and click the Sites button.
  3. Click Advanced.
  4. Add your intranet domain to the list, and then Close>OK>OK your way back.

You should now be able to navigate to your intranet without entering any credentials. This works in Internet Explorer and Google Chrome as far as I have tested.

published in ASP.NET, Tips