I was just troubleshooting an issue with legacy code base on my client workstation. It is IIS 7.5 (guess what OS i am running) with Asp.Net 4.X and v2.0/v3.5 ISAPI registered.
The Asp.Net legacy application is built using windows authentication for security purposes. When I configured the local code base to publish to local IIS website with a custom name, the website kept on prompting me an error. For the life of me, I could not figure out the issue. Setting Application Pool back to “Network Service” from ApplicationPoolIdentity did not fix the issue.
After breaking my head for hours, I finally remembered this little Gem from the past with the help of Google of course. Basically, for NTLM and Kerberos if the target IIS host is in the domain, it is very strict who is allowed to authenticate via SSPI (fancy acronym for security negotiating). I will need to update my developer on-boarding script to make sure I either disable loop-back checking or white-list the local custom dev URLs. Security to insanity!