Wednesday, April 10, 2013

Windows authentication and fake/local domains defined in your host file


I like to create my own local domains when creating a website on my computer as it’s both easier to work with and to remember than using the default site with a lot of virtual directories/applications. However if you want to use windows authentication on a fake domain like this you will run into problems. If you create your own fake domain on a computer using the host file (for instance www.test.local) and want to enable windows authentication on the site this won’t work out of the box. Here are some pointers on how to get this to work properly.
My step by step on how to add and use such domains are:

1. Edit C:\windows\system32\drivers\etc\hosts

You might have to change the security settings on this file to be able to edit this file.
Add in the hosts file.
Remember to never use a domain that could exist (like Always use a top domain that doesn’t exist.
2. Create your website in Internet Information Server Manager

Fill in the hostname field with the domain entered in your hosts file like below:

3. Configure your site to use Windows Authentication.

This is done in the Internet Information Server Manager by clicking on your site and then the Authentication icon. Disable all options but Windows Authentication and if needed ASP.NET Impersonation.
Select Windows Authentication in this list and click Providers on the right hand side options. Make sure you use the correct provider depending if you use NTLM or Kerberos as your verification method. If you’re not sure you can always try each option. Keep just one option provider enabled at a time (at least at first).
Do a iisreset from command prompt after you change the providers to make sure no setting is cached.
4. Add local domain support in registry.
Even if you’ve done everything above which are the typical steps to enable windows authentication on a normal web site using a proper domain it might not/won’t work using a host name specified domain.
To enable this feature you will have to enter some values into your registry. Start regedit and go to the HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0 key.
Add a multi string value at this key named BackConnectionHostNames.
Enter the domain(s) you’ve added to your hostfile that you want windows authentication support for line by line like illustrated below.

Ujjwal Soni