My dev server is a Win 2003 machine with IIS 6.0.  I've got a number of web sites set up which I reference via URLs such as http://site1.localhost, http://site2.localhost, etc.  By putting entries in my HOSTS file which point back to 127.0.0.1, I can use those URLs to access the sites because I set up Host Headers for each site to look for its specific URL.

After installing VS 2008, I suddenly lost the ability to debug web applications on my local machine.  I had been using VS 2005 successfully before that.

"Unable to start debugging on the web server. An authentication error occurred while communicating with the web server."

I did a lot of fruitless searching on the web.  None of the solutions worked: Integrated Windows Authentication must be enabled for the website - yes it was. ASP.Net security settings all checked out.  ACL's were all okay.  I found that if I disabled Anonymous logins for the website in IIS, I could see that Integrated Windows Authentication wasn't working properly.  When viewing the site in my browser I would be asked to log in, but my windows credentials would not work*. Arg!

After examining IIS log files, it was clear that Visual Studio was trying to log in to the web server using the same account I was logged into Windows with.  So we were both having the same problem. For some reason IIS wasn't handling IWA properly.

I turned on auditing for logon failures and examined the security event log.

Hmm, this is interesting:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date:  1/8/2009
Time:  12:56:45 PM
User:  NT AUTHORITY\SYSTEM
Computer: ISIS
Description:
Logon Failure:
  Reason:  An error occurred during logon
  User Name: administrator
  Domain:  isis
  Logon Type: 3
  Logon Process: ÈùÈ
  Authentication Package: NTLM
  Workstation Name: ISIS
  Status code: 0xC000006D
  Substatus code: 0x0
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 127.0.0.1
  Source Port: 4869

Well, no, it isn't that interesting, but the error code led me to this explanation:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

As it turns out, Windows Server 2003 Service Pack 1 (SP1) has a loopback check security feature.  Since I was browsing locally and using host headers to access my websites, Windows was refusing to validate the request  (or something like that).

After following the instructions for the workaround, VS debugging works fine now.  I felt I needed to connect the dots here because my initial searches didn't turn up this solution.

*This had been a problem prior to intalling VS 2008, but I was able to work around it by enabling anonymous access to the websites.