Invoke-RestMethod Authentication Fails on local server

Question

I have a WebApi (.Net Core 2, Windows Authentication) endpoint that I can successfully call from many combinations of PS/Windows versions:

Invoke-RestMethod -Uri https://<fqdn>/api/notification -UseDefaultCredentials

But when I run it locally on the server hosting the web application (using same AD account) it fails to authenticate. IIS logs for requests from other computers show the user account making the request, but the local requests show empty value for that field.

PS error:

HTTP Error 401.1 - Unauthorized You do not have permission to view this directory or page using the credentials that you supplied.

IIS log entry:

2018-06-12 21:42:31 GET /api/notification - 443 - Mozilla/5.0+(Windows+NT;+Windows+NT+6.3;+en-US)+WindowsPowerShell/5.1.14409.1012 - 401 1 3221225581 0

An entry from any other machine besides the local server would have the DOMAIN\User after the port number and would be successful.

Answer 1

Disable strict name checking. The following is a summary from the article: https://www.andrewcbancroft.com/2016/01/21/401-unauthorized-browsing-site-from-local-iis-instance/

Steps...

1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, refer to article 281308 in the Microsoft Knowledge Base.
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
4. Right-click MSV1_0, point to New, and then click Multi-String Value.
5. Type BackConnectionHostNames, and then press ENTER.
6. Right-click BackConnectionHostNames, and then click Modify.
7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
8. Quit Registry Editor, and then restart the IISAdmin service. (to do this, I ran iisreset from a Powershell prompt)