IE 8 NTLM Authentication on Windows 2008
If you are using host headers to resolve the websites, then you might have seen the following issue with NTLM authenticated sites on IE 8. When you access the websites on a machine other than the one where it is hosted, you will be able to get to the sites.
Once you RDP onto the server and try to connect to the website, it will prompt for your windows credentials and will get an access denied message. This problem occurs because Windows includes a loopback check security feature that helps prevent reflection attacks on your computer(Probably some kind of security change has been made in IE8 related to this feature). Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Resolution: Disable the loopback check
Once you RDP onto the server and try to connect to the website, it will prompt for your windows credentials and will get an access denied message. This problem occurs because Windows includes a loopback check security feature that helps prevent reflection attacks on your computer(Probably some kind of security change has been made in IE8 related to this feature). Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Resolution: Disable the loopback check
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
