ローカルでWindows認証が機能しないIIS 7.5。エラー401.1

Question

最近、ASP.net 4.0サイトへのローカルインスタンスIIS 7.5（Windows 7 Pro）でWindows認証を使用できるようにするという厄介な問題がありました。基本的な手順に従いました。

IIS認証

匿名認証を無効にする
Windows認証を有効にする

Web.configを編集します

<authentication mode="Windows" />

これにより、Windows認証が有効になりましたが、ログインの試みはすべて拒否され、最終的に401.1エラーが返されました。これが問題の始まりです。これには多くの理由があるように見えますが、ここにはStack Overflowを含め、Webの周辺でよく文書化されています。

私が試しました：

IIS拡張認証とカーネルモード認証を無効にするためのWindows認証の認証「詳細設定」
IIS認証 'プロバイダー'を編集してNTLMをネゴシエートの上に移動します。
IIS .NET認証ルールを明示的にユーザーに許可する（およびその他のさまざまな組み合わせ）を編集する。
さまざまなIISコマンドラインスクリプトと調整。
Web.configファイルのさまざまな設定の調整。
一部のファイルシステムのアクセス許可の調整ですらあります。

しかし、何の役にも立たず、恐ろしい401.1が残った。

これは本当に「木に木が見えない」場合です。私が見つけることができた解決策はどれもありません（あなたがそうだとしたら悪い検索パラメータのケースと呼んでください）ので、私はこの質問を投稿する価値があると思いました。

PeteWiFi · Accepted Answer

ここでの問題は、Windowsの最新バージョン（Windows XP SP2、Windows Server 2003 SP1以降）には、コンピューターへのリフレクション攻撃を防ぐように設計されたループバックチェックセキュリティ機能が含まれていることです。使用するFQDNまたはカスタムホストヘッダーがローカルコンピューター名と一致しない場合、認証は失敗します。

これは、ホスト名を明示的に指定するか、ループバックチェックを無効にすることで解決できます。明らかに、前者はより制御されたアプローチです。

DisableStrictNameCheckingレジストリエントリを1に設定します。 281308 （注：これはWindows Server 2008/Vista以降では不要です）
レジストリエディターで、次のレジストリキーを見つけてクリックします：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
[MSV1_0]を右クリックし、[新規]をポイントして、[複数行文字列値]をクリックします。
BackConnectionHostNamesと入力し、Enterキーを押します。
BackConnectionHostNamesを右クリックし、[変更]をクリックします。
[値のデータ]ボックスに、ローカルコンピューター上にあるサイトのホスト名またはホスト名を入力し、[OK]をクリックします。
レジストリエディターを終了し、IISAdminサービスを再起動します。

これを行う方法の詳細は、MSDNで確認できます。 896861

これが誰かを助けることを願っています。別の提案や改善点がある場合は追加してください。

funkyfoobar · Answer

IIS機能を再インストールし、WINDOWS認証チェックボックスのステータスがチェックされていることを確認します。

JamieSee · Answer

以下は、バックコネクションのホスト名とIISを処理するために使用するPowerShellコードです。少し手間をかけると、コマンドレットをモジュールに保存してその方法で使用できることに注意してください。

Import-Module WebAdministration function Add-BackConnectionHostname { <# .SYNOPSIS Adds the back connection hostnames that will bypass the server loopback check. .DESCRIPTION Adds the hostname to the list of back connection hostnames that will bypass the server loopback check. Back connection Host names can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. .EXAMPLE Add-BackConnectionHostname mywebsite.mydomain.tld .EXAMPLE Add-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld .PARAMETER Hostname The Hostname to add to the back connection hostnames list. .LINK Remove-BackConnectionHostname Get-BackConnectionHostname Enable-ServerLoopbackCheck Disable-ServerLoopbackCheck Get-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(ValueFromPipeline = $true, Mandatory = $true)] [string] $Hostname ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" $propertyName = "BackConnectionHostnames" $key = Get-Item $keyPath $property = $null $propertyValues = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue if ($property -eq $null) { $property = New-ItemProperty $keyPath -Name $propertyName -Value $null -PropertyType ([Microsoft.Win32.RegistryValueKind]::MultiString) -ErrorAction Stop Write-Verbose "Created the $($propertyName) property." } if ($property -ne $null) { $propertyValues = $property.$propertyName } } } process { if ($property -ne $null) { foreach ($hostNameValue in $Hostname) { if ([string]::IsNullOrWhiteSpace($hostName) -eq $false -and $propertyValues -notcontains $hostNameValue) { $propertyValues += $hostNameValue Write-Verbose "Added $($hostName) to the back connection hostnames." } else { Write-Verbose "Back connection Host names already has an entry for $($hostName)." } } } } end { if ($propertyValues -ne $null) { $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues } } } function Remove-BackConnectionHostname { <# .SYNOPSIS Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. .DESCRIPTION Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. .EXAMPLE Remove-BackConnectionHostname mywebsite.mydomain.tld .EXAMPLE Remove-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld .PARAMETER Hostname The Hostname to remove from the back connection hostnames list. .LINK Add-BackConnectionHostname Get-BackConnectionHostname Enable-ServerLoopbackCheck Disable-ServerLoopbackCheck Get-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(ValueFromPipeline = $true, Mandatory = $true)] [string] $Hostname ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" $propertyName = "BackConnectionHostnames" $key = Get-Item $keyPath $property = $null $propertyValues = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue if ($property -ne $null) { $propertyValues = $property.$propertyName } else { Write-Verbose "The $($propertyName) property was not found." } } } process { if ($property -ne $null) { foreach ($hostNameValue in $Hostname) { if ($propertyValues -contains $hostNameValue) { $propertyValues = $propertyValues | ? { $_ -ne $hostName } Write-Verbose "Removed $($hostName) from the $($propertyName) property." } else { Write-Verbose "No entry for $($hostName) was found in the $($propertyName) property." } } } } end { if ($property -ne $null) { $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique if ($propertyValues.Length -ne 0) { Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues } else { Remove-ItemProperty $keyPath -Name $propertyName Write-Verbose "No entries remain after removing $($hostName). The $($propertyName) property was removed." } } } } function Get-BackConnectionHostname { <# .SYNOPSIS Gets the list of back connection hostnames that will bypass the server loopback check. .DESCRIPTION Gets the back connection hostnames that will bypass the server loopback check. Back connection Host names can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. .EXAMPLE Get-BackConnectionHostname .LINK Add-BackConnectionHostname Remove-BackConnectionHostname Enable-ServerLoopbackCheck Disable-ServerLoopbackCheck Get-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $false)] param ( ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" $propertyName = "BackConnectionHostnames" $key = Get-Item $keyPath $property = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue if ($property -eq $null) { Write-Verbose "The $($propertyName) property was not found." } } } process { $propertyValues = $null if ($property -ne $null) { $propertyValues = $property.$propertyName } return $propertyValues } end { } } function Enable-ServerLoopbackCheck { <# .SYNOPSIS Enables the server loopback check. Enabled is the normal state for a Windows Server. .DESCRIPTION Enables the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. .EXAMPLE Enable-ServerLoopbackCheck .LINK Add-BackConnectionHostname Remove-BackConnectionHostname Get-BackConnectionHostname Enable-ServerLoopbackCheck Get-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $true)] param ( ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" $propertyName = "DisableLoopbackCheck" $key = Get-Item $keyPath $property = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue if ($property -eq $null) { Write-Verbose "The $($propertyName) property was not found." } } } process { if ($property -ne $null) { Set-ItemProperty $keyPath -Name $propertyName -Value 0 } } end { } } function Disable-ServerLoopbackCheck { <# .SYNOPSIS Disables the server loopback check for all hostnames. Enabled is the normal state for a Windows Server. .DESCRIPTION Disables the server loopback check for all hostnames. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. .EXAMPLE Disable-ServerLoopbackCheck .LINK Add-BackConnectionHostname Remove-BackConnectionHostname Get-BackConnectionHostname Enable-ServerLoopbackCheck Get-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $true)] param ( ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" $propertyName = "DisableLoopbackCheck" $key = Get-Item $keyPath $property = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue if ($property -eq $null) { Write-Verbose "The $($propertyName) property was not found." } } } process { if ($property -ne $null) { Set-ItemProperty $keyPath -Name $propertyName -Value 1 } else { $property = New-ItemProperty $keyPath -Name $propertyName -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Value 1 } } end { } } function Get-ServerLoopbackCheck { <# .SYNOPSIS Gets the status of the server loopback check. Enabled is the normal state for a Windows Server. .DESCRIPTION Gets the status of the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. .EXAMPLE Get-ServerLoopbackCheck .LINK Add-BackConnectionHostname Remove-BackConnectionHostname Get-BackConnectionHostname Enable-ServerLoopbackCheck Disable-ServerLoopbackCheck "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.Microsoft.com/en-us/kb/896861) #> [CmdletBinding(SupportsShouldProcess = $false)] param ( ) begin { $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" $propertyName = "DisableLoopbackCheck" $key = Get-Item $keyPath $property = $null if ($key -ne $null) { $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue } } process { $loopbackCheckStatus = "Enabled" if ($property -ne $null) { switch ($property) { 0 { $loopbackCheckStatus = "Enabled" } 1 { $loopbackCheckStatus = "Disabled" } default { $loopbackCheckStatus = "Unknown" } } } return $loopbackCheckStatus } end { } } function Get-WebsiteHostname { <# .SYNOPSIS Gets the hostnames for the IP addresses bound to a web site. .DESCRIPTION Gets the hostnames for the IP addresses bound to a web site. Where a Host header exists, the Host header is used; otherwise, the IP address is looked up in DNS to see if a PTR record exists. .EXAMPLE Get-WebSiteHostname $webSite .EXAMPLE Get-WebSiteHostname -Name 'Default Web Site' .EXAMPLE Get-Website | Get-WebSiteHostname .LINK Get-Website #> [CmdletBinding(SupportsShouldProcess = $false)] param ( [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)] [string] $Name ) process { $siteHostnames = @() foreach ($webSiteName in $Name) { $bindings = Get-WebBinding -Name $Name foreach ($binding in $bindings) { $bindingInfo = $binding.bindingInformation.Split(':') $hostHeader = $bindingInfo[2] $bindingInfoAddress = $null $isValidIP = [System.Net.IPAddress]::TryParse($bindingInfo[0], [ref] $bindingInfoAddress) $siteHostname = $null if ($bindingInfo -eq '*') { Write-Warning "The $($webSiteName) web site has a binding address set to All Unassigned." } elseif ([string]::IsNullOrWhiteSpace($hostHeader) -eq $false) { $siteHostname = $hostHeader Write-Verbose "The $($webSiteName) web site has a Host header set to $($siteHostname)." } elseif ($isValidIP -eq $true) { $siteHostname = (Resolve-DnsName $bindingInfoAddress -DnsOnly PTR -ErrorAction SilentlyContinue).NameHost if ($siteHostname -ne $null) { Write-Verbose "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) that resolves to $($siteHostname)." } else { Write-Warning "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) with no PTR record." } } } if ($siteHostname -ne $null) { $siteHostnames += $siteHostname } } return $siteHostnames | Sort -Unique } } Get-Website | ?{ (Get-WebConfiguration -Filter '/system.web/authentication' -PSPath $_.PSPath).mode -eq 'Windows' } | Get-WebsiteHostname | Add-BackConnectionHostname