JSI Tip 10082. You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6?

When you browse a local Web site using a FQDN (Fully Qualified Domain Name) that is hosted on IIS 5.1 or IIS 6, you receive:

HTTP 401.1 - Unauthorized: Logon Failed

NOTE: You may also receive a message similar to the following when you attempt to debug a Microsoft ASP.NET project in Microsoft Visual Studio 2003:

Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server.

Verify that you are a member of the 'Debugger Users' group on the server.

This behavior will occur if the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address, and you have installed Windows XP SP2 or Windows Server 2003 SP1, because those service packs include a loopback check security feature designed to help prevent reflection attacks. Authentication fails because the FQDN does NOT match the local computer name.

To workaround this behavior, disable the loopback check or specify the host names that are mapped to the loopback address.

To disable the loopback check:

1. Open a CMD.EXE window.

2. Type the following command and press Enter:

REG ADD HKLMSYSTEMCurrentControlSetControlLsa /V DisableLoopbackCheck /T REG_DWORD /F /D 1

3. Shutdown and restart the computer.

To specify the host names:

1. Open a CMD.EXE window.

2. Type the following command and press Enter:

REG ADD HKLMSYSTEMCurrentControlSetControlLsaMSV1_0 /V BackConnectionHostNames / T REG_MULTI_SZ /F /D ""

Where "" contains the host names for the sites that are on the local computer, each separated by .

3. Shutdown and restart the computer.