Connecting to a site using Active Directory returns 401.1 Unauthorized


At times, the following error is received while browsing the WindowsSignin.aspx page through logging into a site that relies on Active Directory integration: HTTP Error 401.1 - Unauthorized: Logon Failed. 




The issue here is that modern versions of Windows (Windows XP SP2, Windows Server 2003 SP1 and up) include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

This can be resolved by either explicitly specifying hostnames or by disabling the loopback check.



You can fix the issue by applying the solution mentioned in the following Microsoft article.

  1. Set the DisableStrictNameChecking registry entry to 1. Note: This should be unnecessary for Windows Server 2008/Vista and later)
  2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. Type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  7. Quit Registry Editor, and then restart the IISAdmin service.



To test that this error has been resolved by:

  1. Accessing the site that has Active Directory enabled.
  2. Log in with your Active Directory credentials.

You should not see the 401 error generated once you log in.



Please sign in to leave a comment.