IE8 refuses to authenticate on a local website (website and browser are on the same machine) even when valid credentials are supplied, when the website is reached using a host header bound to the machine's loopback address. After a few attempts, the website reports an HTTP 401.1 Access Denied error. A different browser may authenticate successfully. Browsing the website with IE8 from an external client computer authenticates as expected.
A Windows security update is responsible for a loopback check security feature that is meant to prevent reflection attacks. Authentication fails if the host header does not match the local computer name. Disable the loopback check in the registry:
- Run regedit.
- Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
- Add a new DWORD value called DisableLoopbackCheck.
- Modify the new value data to 1.
- More info at Microsoft KB article 896861: http://support.microsoft.com/kb/896861.