ASP.NET Windows authentication deny access from RDP user

Question

I have set up a Web Application from VS template (MVC), and then enable Windows Authentication.

<authentication mode="Windows" />
<authorization>
  <allow roles="ABC\Domain Users" />
  <deny users="*" />
</authorization>

Then publish the web application to an IIS server.

It works fine, when requesting the index page of the application from client machine it logs me in automatically, tested with IE using the following link http://myteamserver.mycompany/myapplication.

But if I RDP to the server (\\myteamserver.mycompany where the IIS is hosted), and open the same link in IE, it keeps prompting for credential, even after inputting the correct credential, I am denied access.

The error message:

HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.

Question: What is the difference between running IE on client machine and IE on the server?

I check the IE setting on the server, "Enable Integrated Windows Authentication" is checked. Also I RDP to another server, and from there I can access the web application without any problem.

Answer 1

Turns out to be a security feature of Windows:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version.

Symptom:

When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed

This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

Cause:

.. a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

If I use localhost or IP instead of FQDN, it works.