Why does UWP app get 401 Unauthorized against local IIS with Windows authentication?

Problem

When running a UWP app (with the Enteprise Authentication capability) that makes an HTTP request to a local IIS website protected by Windows authentication, the app receives a 401 Unauthorized response. If the app is run on a different computer than IIS (either the app is moved to a different computer or a remote Windows authentication-protected URL is requested), the request succeeds.

IIS

I am running Windows 10 Enterprise (Anniversary Edition) joined to an AD domain.

On my local IIS instance, I've enabled Windows authentication and disabled anonymous authentication for the default website. The enabled providers are "Negotiate" and "NTLM".

I've also created a test.aspx page at the root that contains simply:

<%= User.Identity.Name %>

If I visit http://localhost/test.aspx in Edge, Chrome, or IE, I am authenticated correctly and presented with my user name.

UWP

I've created a simple UWP app (targeting build 14393) with the following capabilities:

<Capabilities>
  <Capability Name="internetClient" />
  <Capability Name="privateNetworkClientServer" />
  <uap:Capability Name="enterpriseAuthentication" />
  <uap:Capability Name="userAccountInformation" />
</Capabilities>

The app's code is simply:

public MainPage()
{
    this.InitializeComponent();

    var result = Nito.AsyncEx.AsyncContext.Run(async () =>
    {
        using (var httpClient = new System.Net.Http.HttpClient())
        {
            return await httpClient.GetStringAsync("http://localhost/test.aspx");
        }
    });

    textBlock.Text = result;
}

Result

If the requesting UWP app and IIS are on the same computer, the HTTP request in the UWP app fails with 401 Unauthorized.

The network profiler shows that authentication is attempted (note that the multiple requests are part of the WWW-Authenticate challenge/response scheme):

If the requesting app and IIS are on different computers, the request succeeds.

That is, if I change the request URL so that it is my development computer's FQDN (http://localhost/test.aspx becomes http://computername.domain/test.aspx) and run the app on a second computer (in other words, the app on the second computer calls my development computer's IIS), the request succeeds. Alternatively, I can successfully run the UWP on my development computer but call a remote IIS.

A few more details

• The UWP app's request results in a 200 OK if anonymous authentication is enabled on the localhost IIS.
• I have "Allow local network loopback" checked in the app's Debug property page, and I've verified that the loopback is enabled with checknetisolation.