Develop Reference

Web site web.config error?

I don't know what this error means:
it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
Can someone tell me what this error means and how to fix it?
EDIT: Also, when I click on the error, it brings me to this line of code in the web.config: <authentication mode="Windows" />

As the error is telling you, you need to mark your virtual directory / website as an Application in IIS Manager.

Error 0x80070021 IIS windows 8

I'm trying to deploy web pages on IIS. When I try to browse site I got such mistake:
This configuration section cannot be used at this path. This happens
when the section is locked at a parent level. Locking is either by
default (overrideModeDefault="Deny"), or set explicitly by a location
tag with overrideMode="Deny" or the legacy allowOverride="false".
Section in my config file:
<security>
<authentication>
<basicAuthentication enabled="false" />
</authentication>
</security>
May anybody help me to "unlock" parent section (as far as I understand).

You may need to allow feature delegation.
IIS Manager -> Feature Delegation
Select "Authentication - Basic" and change it to Read/Write.
By default it is ReadOnly.

I had the same kind of problem when I tried to deploy ASP.NET pages on IIS. (To be honest don´t know if exactly the same - I am using Windows 10 now, but got same kind of message).
At first it seamed complicated to fix but found out that had a really easy solution.
I Just needed to reinstal IIS at the Control Painel - but with ASP option enabled (I enabled all of the resources for development of applications).
And at the Website (basic) configuration had to select .NET v4.5 Classic.

Error 500.19 and file execution issues and locked on IIS 8
To resolve it I had to execute in cmd:
%windir%\system32\inetsrv\appcmd unlock config -section:system.webServer/handlers
%windir%\system32\inetsrv\appcmd unlock config -section:system.webServer/modules

IIS express: Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to

In Visual studio, Solution->Web.Project->Properties->Web, I have changed my Project Url from http://localhost:51123/ to http://localhost:51123/NewProjectName and I keep getting this error:
"Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to ...." on every module added.
Adding a remove tag works but then it should have been a problem even before i changed the url. Any suggestions?

I think IIS Express probably has 2 <application>-blocks and both will be pointing to the same physicalPath.
Go to the IIS Express config file in: My Documents\IISExpress\config\applicationhost.config
Search for NewProjectName
Change the physicalPath for the root application to something else. Point it to an empty folder.
Should look something like this:
<site name="NewProjectName" id="1">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\Temp" />
</application>
<application path="/NewProjectName" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\sourcecode\NewProjectName" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:51123:localhost" />
</bindings>
</site>

Also, ensure you don't have a duplicate web.config file in one of the parent folders (eg: a web.config backup file). That was the issue with mine!

I started randomly getting this error. I noticed that the iis express had two sites.
This double layer is causing IIS to read the web.config from the first site and second at \WFM, therefore finding duplicates. I just stopped all the sites and removed the \WFM from my web project path. However you could go clear the files and folders from your temp file in IIS express. In my case I had multiple versions of the solution and one solution's project\user config had an extra path in the web project URL. VS 2015 added it, or someone checked in their own user config to TFS. Hope this helps others.

All web.config files work off multiple cascading levels of inheritance at the machine, IIS, project, and folder level locations, with each providing a higher degree of specificity.
If you're getting this error, it means you've either:
Added the same key twice in the same file (unlikely since you would've seen it)
The same key already exists in a separate file higher up the inheritance chain
There can be a lot of different root causes for #2, but if you want to side step them, you can just remove any previous declarations and then re-add your own at that level (I'd pay good money for an upsert feature).
So just add <remove> tags like this for any offending elements:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="ErrorLog" />
<remove name="ErrorMail" />
<remove name="ErrorFilter" />
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
</system.webServer>

If you create an IIS website with the physical path the same as the project folder, and then use it create a virtual folder for the project, you are going to see this issue.
Your Web.config file is being loaded twice.
Instead as orjanto pointed out, create an empty folder and point the IIS website to it and then use it to create a virtual folder from Visual Studio.

I had the same problem. It turned out that I had a different project that uses IISExpress with the same port number. Once I changed the project to use a different port number, the error went away.

What worked for me. I deleted the {projectFolderParent}/.vs/config (you have to "show hidden folders/files)
After deleting that, I restarted my computer.

My Project Url in Web tab inside project properties pointed to wrong url and I was not able to change it ("Would you like to create Virtual Directory?" and VS was locked in a loop (Yes -> Unable to create, No -> Operation Canceled) until I manually reverted Url to the (incorrect) state it was before. The solution was to run VS as Admin. I was able to change that url and everything started to work. Hope it helps!

You may find that after upgrading to the latest windows 10 service pack June 2017, this issue is because certain nodes seem to now appear under the root config (machine.config). I removed my duplicates from web.config and it all worked again.

I had a problem of same type. Running my site published on IIS, the same error was shown.
I saw a web.config file in the wwwroot folder (out of application folder).
I removed this file and the application ran OK.
Look for a web.config file placed in a wrong folder (above your folder application).
Good luck!

The answer that #orjanto posted solved the problem for me, but I had an additional problem on top of that. After fixing, Internet Explorer still thought that my HTML page was a directory instead of a file.
I had duplicates in my IIS Express config file:
<site name="MyAPI" id="56">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\source\repos\MyAPI" />
</application>
<application path="/login.html" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\source\repos\MyAPI" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:57018:localhost" />
<binding protocol="https" bindingInformation="*:44302:localhost" />
</bindings>
</site>
Note the path="/login.html" in the second <application> entry.
My page was redirecting to "localhost:57018/login.html/" like it was a directory.
Removing the second entry fixed the problem with the configuration file duplicates, however I continued to have a problem where Internet Explorer seemed to think that /login.html/ was a directory (Internet Explorer 11). To diagnose the problem, I checked Chrome and Chrome worked fine.
I went into Internet Explorer, went to Tools > Internet Options > General Tab. Then under "Browsing History" section, I deleted History, Cookies and Website Data, & Temp. Internet Files.

I tried all of the above methods and nothing worked for me. I was keep on getting the error something like
Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'QueryStringModule'
At last I changed my server from
IIS Express to Local IIS in the project property build as given below.
and it worked for me.

I had the same problem, here's what I did:
I changed my Server settings from Local IIS to IIS Express:
If it still doesn't work, I changed the port number to different port
number then click the Create Virtual Directory button. Clean the
solution then Rebuild.

Just Change the port number which is not yet used by another application and it works

Config Error: This configuration section cannot be used at this path

I've encountered an error deploying a site to a server. When trying to load the home page, or access authentication on the new site in IIS, I get the error:
Config Error: This configuration section cannot be used at this path.
This happens when the section is locked at a parent level. Locking is
either by default (overrideModeDefault="Deny"), or set explicitly by a
location tag with overrideMode="Deny" or the legacy
allowOverride="false".
More detail can be found here, in Scenario 7 matches my hex error code.
The solution given on the linked site above is to set Allow for overrideModeDefault in the section mentioned in my error, in the applicationHost.config file. In my case, under Security in system.webServer. But if I look at the applicationHost.config on my local computer, where the site is properly deployed already, that section is set to Deny.
If this solution is correct, how is my local instance running just fine with the same web.config? According to my applicationHost.config, that section should be locked, but it's not. I'd prefer to not change the applicationHost.config file, because there are many other sites running on that server. Is there another solution?

I had the same problem. Don't remember where I found it on the web, but here is what I did:
Click "Start button"
in the search box, enter "Turn windows features on or off"
in the features window, Click: "Internet Information Services"
Click: "World Wide Web Services"
Click: "Application Development Features"
Check (enable) the features. I checked all but CGI.
btw, I'm using Windows 7. Many comments over the years have certified this works all the way up to Windows 10 and Server 2019, as well.

You could also use the IIS Manager to edit those settings.
Care of this Learn IIS article:
Using the Feature Delegation from the root of IIS:
You can then control each of machine-level read/write permissions, which will otherwise give you the overrideMode="Deny" errors.

For Windows Server 2012 and IIS 8, the procedure is similar.
The Web Server (IIS) and Application Server should be installed, and you should also have the optional Web Server (IIS) Support under Application Server.

Browse to “C:\Windows\System32\inetsrv\config” (you will need administrator rights here)
Open applicationHost.config
Note: In IISExpress and Visual Studio 2015 the applicationHost.config is stored in $(solutionDir).vs\config\applicationhost.config
Find the section that showed up in the “config source” part of the error message page. For me this has typically been “modules” or “handlers”
Change the overrideModeDefault attribute to be Allow
So the whole line now looks like:
<section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Allow" />
After saving the file, the page loaded up fine in my browser.
Warning:
Editing applicationHost.config on 64-bit Windows

You need to unlock handlers. This can be done using following cmd command:
%windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/handlers
Maybe another info for people that are getting this error on IIS 8, in my case was on Microsoft Server 2012 platform. I had spend couple of hours battling with other errors that bubbled up after executing appcmd. In the end I was able to fix it by removing Web Server Role and installing it again.

1. Open "Turn windows features on or off" by: WinKey+ R => "optionalfeatures" => OK
Enable those features under "Application Development Features"
Tested on Win 10 - But probably will work on other windows versions as well.

I ran these two commands from an elevated command prompt:
%windir%/system32/inetsrv/appcmd unlock config /section:anonymousAuthentication
%windir%/system32/inetsrv/appcmd unlock config /section:windowsAuthentication

As per my answer to this similar issue;
Try unlocking the relevant IIS configuration settings at server level, as follows:
Open IIS Manager
Select the server in the Connections pane
Open Configuration Editor in the main pane
In the Sections drop down, select the section to unlock, e.g. system.webServer > defaultPath
Click Unlock Attribute in the right pane
Repeat for any other settings which you need to unlock
Restart IIS (optional) - Select the server in the Conncetions pane, click Restart in the Actions pane

This Did the trick for me, for IIS 8 Windows server 2012 R2
Go to "Turn on Features"
Then go to all default setting , Next, Next, Next etc..
Then, select as shown below,
Then reset IIS (optional) but do it safer side.
This is an additional solution as its a generic problem everyone have different of problem and thus different solution. Cheers!

The best option is to Change Application Settings from the Custom Site Delegation
Open IIS and from the root select Feature Delegation and then select Application Settings and from the right sidebar select Read/Write

On Windows Server 2012 with IIS 8 I have solved this by enabling ASP.NET 4.5 feature:
and then following ken's answer.

To fix this open up the IIS Express applicationhost.config. This file is stored at C:\Users[your user name]\Documents\IISExpress\config\applicationhost.config
Update for VS2015+: config file location is $(solutionDir).vs\config\applicationhost.config
Look for the following lines
<section name="windowsAuthentication" overrideModeDefault="Deny" />
<section name="anonymousAuthentication" overrideModeDefault="Deny" />
<add name="WindowsAuthenticationModule" lockItem="true" />
<add name="AnonymousAuthenticationModule" lockItem="true" />
Change those lines to
<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
Save it and refresh Asp.net Page.

In our case on IIS 8 we found the error was produced when attempting to view Authentication" for a site, when:
The server Feature Delegation marked as "Authentication - Windows" = "Read Only"
The site had a web.config that explicitly referenced windows authentication; e.g.,
Marking the site Feature Delegation "Authentication - Windows" = "Read/Write", the error went away. It appears that, with the feature marked "Read Only", the web.config is not allowed to reference it at all even to disable it, as this apparently constitutes a write.

Seems that with IIS Express and VS 2015, there's a copy of the applicationHost.config file at $(solutionDir).vs\config\applicationhost.config so you'll need to make changes there. See this link: http://digitaldrummerj.me/iis-express-windows-authentication/
Make sure these lines are changed per below:
<section name="windowsAuthentication" overrideModeDefault="Allow" />
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<add name="WindowsAuthenticationModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />

In my case it was that on server was not enabled "HTTP Activation" under .NET Framework Features. So for Windows Server 2012 the solution which worked for me was:
Server Manager -> Add roles and features -> Features -> make sure that under .NET Framework of version you want to use is checked "HTTP Activation"

The Powershell way of enabling the features (Windows Server 2012 +) - trim as needed:
Install-WindowsFeature NET-Framework-Core
Install-WindowsFeature Web-Server -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-Features -IncludeAllSubFeature
Install-WindowsFeature NET-Framework-45-ASPNET -IncludeAllSubFeature
Install-WindowsFeature Application-Server -IncludeAllSubFeature
Install-WindowsFeature MSMQ -IncludeAllSubFeature
Install-WindowsFeature WAS -IncludeAllSubFeature

The error says that the configuration section is locked at the parent level.
So it will not be directly 1 config file which will resolve the issue,
we need to go through the hierarchy of the config files to see the inheritance
Check the below link to go through the File hierarchy and inheritance in IIS
https://msdn.microsoft.com/en-us/library/ms178685.aspx
So you need to check for the app config settings in the below order
ApplicationHost.config in C:windows\system32\inetsrv\config. Change the overrideModeDefault attribute to be Allow.
ApplicationName.config or web.config in the applications directory
Web.config in the root directory.
Web.config in the specific website (My issue was found at this place).
Web.config of the root web (server's configuration)
machine.config of the machine (Root's web.config and machine.config can be found at - systemroot\MicrosoftNET\Framework\versionNumber\CONFIG\Machine.config)
Go carefully through all these configs in the order of 1 to 6 and you should find it.

I noticed one answer that was similar, but in my case I used the IIS Configured Editor to find the section I wanted to "unlock".
Then I copied the path and used it in my automation to unlock it prior to changing the sections I wanted to edit.
. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/windowsAuthentication
. "$($env:windir)\system32\inetsrv\appcmd" unlock config -section:system.webServer/security/authentication/anonymousAuthentication

I needed to change the SSL settings on a subfolder when i got this nice message. In my case following action helped me out.
Opened C:\Windows\System32\inetsrv\config\applicationHost.config
And changed the value from overrideModeDefault="Deny" to "Allow"
<sectionGroup name="system.webServer">
...
<sectionGroup name="security">
<section name="access" overrideModeDefault="Allow" />
</sectionGroup>

In my case, I got this error because I was operating on the wrong configuration file.
I was doing this:
Configuration config = serverManager.GetWebConfiguration(websiteName);
ConfigurationSection serverRuntimeSection = config.GetSection("system.webServer/serverRuntime");
serverRuntimeSection["alternateHostName"] = hostname;
instead of the correct code:
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection serverRuntimeSection = configApp.GetSection("system.webServer/serverRuntime", websiteName);
serverRuntimeSection["alternateHostName"] = hostname;
in other words, I was trying to operate on the website's web.config instead of the global file C:\Windows\System32\inetsrv\config\applicationHost.config, which has a section (or can have a section) for the website. The setting I was trying to change exists only in the applicationHost.config file.

In my case, it was something else.
When I loaded the solution in a new version of Visual Studio, VS apparently created a new project-specific applicationhost.config file:
MySolutionDir\.vs\config\applicationhost.config
It started using the settings from the new config, instead of my already customized global IIS Express settings.
(\Users\%USER%\Documents\IISExpress\config\applicationhost.config)
In my case this was the setting that needed to be set. Of course it could be something else for you:
<section name="ipSecurity" overrideModeDefault="Allow" />

Received this same issue after installing IIS 7 on Vista Home Premium. To correct error I changed the following values located in the applicationHost.config file located in Windows\system32\inetsrv.
Change all of the following values located in section -->
<div mce_keep="true"><section name="handlers" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>
<div mce_keep="true"><section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Deny" /> change this value from "Deny" to "Allow"</div>

Can You try this:
Go to application path where you're getting deny error, right click
Properties->Security tab
In that, change the permissions and check the checkbox read and write. Then it will work without any error hopefully.

For Windows Server 2008 and IIS 7, the procedure is similar.
please refer to this:
http://msdn.microsoft.com/en-us/library/vstudio/bb763178(v=vs.100).aspx
in add role service, u will see "Application Development Features"
Check (enable) the features. I checked all.

In my case I was getting this error when attempting to update the authentication settings in IIS also in addition to browsing. I was able to remove this error by removing the authentication setting from the web.config itself. Removing a problematic configuration section may be less invasive and preferable in some cases than changing the server roles and features too much:
Section Removed:
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>

I had the similar issue, but I used the following powershell script which helped me to achieve above steps in on button click.
#Install IIS
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-Asp-Net45, Web-Mgmt-Console, Web-Scripting-Tools, NET-WCF-HTTP-Activation45, Web-Windows-Auth
the list of features can be added or removed based on the requirement.

I had an issue where I was putting in the override = "Allow" values (mentioned here already)......but on a x64 bit system.......my 32 notepad++ was phantom saving them. Switching to Notepad (which is a 64bit application on a x64 bit O/S) allowed me to save the settings.
See :
http://dpotter.net/technical/2009/11/editing-applicationhostconfig-on-64-bit-windows/
The relevant text:
One of the problems I’m running down required that I view and possibly edit applicationHost.config. This file is located at %SystemRoot%\System32\inetsrv\config. Seems simple enough. I was able to find it from the command line easily, but when I went to load it in my favorite editor (Notepad++) I got a file not found error. Turns out that the System32 folder is redirected for 32-bit applications to SysWOW64. There appears to be no way to view the System32 folder using a 32-bit app. Go figure.
Fortunately, 64-bit versions of Windows ship with a 64-bit version of Notepad. As much as I dislike it, at least it works.

I had the same issue.
Resolved it by enabling Application Server feature. Restarted iis
after that.

This worked for me
Also in IIS 8 you can solve this problem by changing the server to IIS Express. Goto debug->Properties
In the Web select the server as IIS Express from the dropdown and then rebuild the solution

To make a change at Application Level (Web.Config):
Please remove the Trust Level from the web.config:
Actually I was getting this error when I was trying to host my Website on the Hosting Server where I don't have control on their Server. Removing the above line from my Application web.config solved my issue.

Most Strange IIS Windows Authentication behavior

I have an ASP.NET website running on Windows Server R2 in a corporate network, using Windows Authentication.
The app pool of the website is using a domain account and in Integrated pipeline mode.
The authentication is set Windows Authentication, all other authentication modes are disabled.
However, this does not work. Every time I access the website, it pops up a dialog asking for user name and password. I enter the correctly domain user name and password, but it does not continue--the windows pops up again. After three times, it fails and displays a white page. I tried with many different browsers, bu all of them fail. I asked some colleagues to try and they all got failure, too.
I cannot figure out why this error is happening and tried many ways to fix it with no luck. I think it is very strange. However, finally I found a way to fix this problem, this is the most strange part of the problem: I edit the "Physical path" in "Basic Settings" of the website, I just point it to another healthy website, for instance, %SystemDrive%\inetpub\wwwroot, then I try to browse the website, very good, it runs well and displays the default page (iisstart.htm). It looks like it is not very helpful, but then I change the physical path back to my website; suddenly everything goes well -- the windows authentication works! I do not know why it helps, but I am happy with this result -- it fixes my problem though I do not know what the heck is happening.
The happy time is always short, several days later, the server got some patches and restarted, the website can't work again. And again, I can fix the problem using the trick above.
I do not like this! I do not like doing this stupid trick every time IIS resets or the server restarts.
Is there anyone who has some ideas on why windows authentication fails, and why the aforementioned trick can fix it, and why after an IIS reset it fails again?

First off, THANK YOU for creating this post. I have the exact same issue and could not find anyone else without posting the obvious fixes that were of no avail to me. I had been working on this for almost two weeks
To assist the next poor soul that encounters this issue and post, I hope my extra tidbits help.
Your initial solution did not fix my issue in my case, but it did prove that it was custom error page related. After pasting in your code into web.config my problem got worse and I was not able to debug or launch the page (had 500 internal server error related to web.config)
BUT finally what I did was go into the IIS Console and remove all of my custom error pages. It still did not work as had hoped. BUT, I also found entries for ASP.NET ".NET Custom Errors" in the top half of the site console (and the "custom errors" tag in web.config). I had old entries in there and removed them via console, and YESSSS, my site came back to normal with Windows Authentication.
I have since recreated the IIS Custom Errors and I am still up and running as designed.
SO to anyone else that may have this issue, check both ASP.NET Custom Errors AND IIS Custom Errors settings. Maybe there is a conflict, I dont know, but in my case having only the IIS pages set fixed me up (for now :-) )

I just found it seems caused by custome 401 error pages under "Error Pages". I set it to execute an URL when the status code is 401 in my web.config, it looks like:
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1"/>
<error statusCode="401" path="/Error/AccessDenied" responseMode="ExecuteURL"/>
</httpErrors>
Then every time I reset IIS and try to access this website, the problem appears. If I delete it in Web.Config or delete from IIS console, then the problem disappears, what is more funny is another experiment: after I deleted this settings and have been successful opening the website, I added this setting back. Everything works very well. Every domain user can access this website, those that failed passing authorization get the customer error page.
So my solution now is I removed this setting in my Web.Config, every time I reset IIS or restart the server, the server admin need to hit the website first, and then add this customer error page in IIS console.
I feel this is a bug of II7.5 on Windows Server 2008 R2.

I was also struggling with this same issue all my day. I am using windows authentication and Custom error setting in web.config for 401 errors.
After I reset the IIS, the website stop accepting domain users and windows authentication pop up reappear again and again.
I added remove tag in the web.config file with Sub status code.
<httpErrors>
<remove statusCode="401" subStatusCode="-1" />
<remove statusCode="401" subStatusCode="1" />
<error statusCode="401" subStatusCode="-1" path="/Custom401.aspx" responseMode="ExecuteURL" />
<error statusCode="401" subStatusCode="1" path="/Custom401_1.aspx" responseMode="ExecuteURL" />
</httpErrors>
Previously remove tag was only present for substatus code -1 but missing for sub status code "1" . After i added it, everything started woking properly.
In the above post, substatus code is missing for error tag, that could be the cause of the problem. There should be remove tag for all 401 errors there.

I just spent a couple of hours digging up a solution to this problem.
Why IE fails yet the other browsers succeed: IE tries to use Kerberos authentication and the other browsers don't try. The others use NTLM.
Solution: In the situation described in the question, a domain account was being used in the App Pool. Simple solution: switch to using the "Network Service" account. More complex solution: You have to register a service principal name (SPN). Read this article (ignore the fact that it is talking about IIS 6 because it also works fine on IIS 7 and 7.5) - You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site.
I hope this helps. It gave me a headache until I stumbled upon that article. (Thanks to Paul Lynch who posted the link Windows Authentication Failing in IE8 but not Firefox)

I had this same problem on my Windows 2008 R2 server. I did not have custom 401 error pages. I did use aliased server names (via DNS CNAME records and host header entries on the IIS bindings). I registered the SPNs for Kerberos as suggested, but that did not solve the problem. I resolved it by disabling "Kernel Mode Authentication" (click on the server in the IIS tree -> double-click on Authentication under the IIS group -> click on Windows Authentication -> click on Advanced Settings on the Actions pane -> Uncheck the checkbox -> click OK -> run iisreset). The information on that dialog box recommends against disabling Kernel Mode Authentication when using non-standard service accounts for the application pool identity, but that didn't apply to us since we're using the standard ApplicationPoolIdentity identity.

I had the same issue.. Turnes out I should not have messed with my hostfile.. I changed my hostfile and pointed some fancy address to my machine like so:
www.givemeyourcredentials.com 127.0.0.1
I added a binding to the site "www.givemeyourcredentials.com". I typed in the addres in my addressbar and the site prompted my credentials as expected.. Typed in my credentials and got prompted for my credentials again.. And again and again and again..
Turns out: Bind your website to http://localhost when using windows authentication in an IIS site. That did the trick for me.
Hope this helps somebody...

Add "NT Service\trustedInstaller" to physical folder of the site. Location for this user is local machine name.

The NTLM protocol that is used for Integrated Windows authentication requires a two-step process to authenticate clients. The behavior that is mentioned in the "Symptoms" section occurs when the following conditions are true:
The application pool recycles after the first step of the Integrated Windows authentication process.
However, the application pool recycles before the second step of the Integrated Windows authentication process.
To work around this behavior and to reduce the frequency of these error messages, configure the application pool to recycle less frequently. To configure application pool recycling, follow these steps:
Click Start, click Run, type inetmgr, and then click OK.
Expand the name of the computer on which you want to configure application pool recycling, and then expand Application Pools.
Right-click the application pool that you want to configure, and then click Properties.
On the Recycle tab, configure one of the metrics so that IIS recycles less frequently.
Note IIS 6 application pools support several metrics. These metrics include the time elapsed, the number of requests, and the specified time to recycle an application pool. If an application pool has a metric that causes the application pool to recycle frequently, you will experience this issue more frequently.
Click OK.
[ Copied from https://support.microsoft.com/en-us/kb/902160 for posterity ]