Authentication Issues Accessing Companyweb from the Server Itself after 963027

aboardarmServers

Dec 4, 2013 (3 years and 8 months ago)

126 views

Authentication Issues Accessing Companyweb from the Server Itself after 963027

[Today's post comes to us courtesy of


Ketan Thakkar, Manish Kapoor, Chris Puckett, and
Justin Crosby]

You may experience authentication issues browsing http://companyweb on SB
S 2003 and
SBS 2008 servers after installing the cumulative security update for Internet Explorer
(963027) or Internet Explorer 8.0.

When you try to browse Companyweb you will be prompted for authentication 3 times and
eventually receive a blank page or 4
01.1.


Your IIS logs will show your request failing with
401.1 Unauthorized.

Resolution

Please use one of the following resolutions depending on the version of SBS you are
running.

SBS2003

On an SBS 2003 server this issue can be fixed by applying update
KB961143
.

Note: You must have .NET Framework 2.0 installed before you apply this update.

SBS2008

The workaround provided in the following blog post for IE 8.0 also applied to IE 7.0 with
963027 install
ed.


http://blogs.technet.com/sbs/archive/2009/02/24/known
-
issues
-
a
fter
-
installing
-
ie
-
8
-
on
-
small
-
business
-
server
-
2008
-
and
-
the
-
vista
-
clients
-
that
-
are
-
joined
-
to
-
the
-
sbs
-
domain.aspx
.

Note:
This issue will be fixed in upcoming update rollup for SBS 2008. We will update this
post when it is available.

On SBS 2008 you can also

implement method #2 from
KB963027
.


Article ID: 896861
-

Last Review: February 27, 2009
-

Revision: 7.0

You receive error 401.1 when you browse a Web site that uses Integrated
Authentication and is h
osted on IIS 5.1 or IIS 6

SYMPTOMS


When you use the fully qualified domain name (FQDN) or a custom host header to browse a
local Web s
ite that is hosted on a computer that is running Microsoft Internet Information
Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:

HTTP 401.1
-

Unauthorized: Logon Failed

This issue occurs when the Web site uses In
tegrated Authentication and has a name that is
mapped to the local loopback address.


Note

You only receive this error message if you try to browse the Web site directly on the
server. If you browse the Web site from a client computer, the Web site works a
s expected.


Additionally, an event message that resembles the following event message is logged in the
Security Event log. This event message includes some strange characters in the value for
the Logon Process entry:

Event Type: Failure Audit

Event Sourc
e: Security

Event Category: Logon/Logoff

Event ID: 537

Date:
Date

Time:
Time

User: NT AUTHORITY
\
SYSTEM

Computer:
Computer_Name

Description: Logon Failure:

Reason: An error occurred during logon

User Name:
User_Name

Domain:
Domain_Name

Logon Type: 3

Logon P
rocess: Ðùº

Authentication Package: NTLM

Workstation Name:
Computer_Name

Status code: 0xC000006D

Substatus code: 0x0

Caller User Name:
-

Caller Domain:
-

Caller Logon ID:
-

Caller Process ID:
-

Transited Services:
-

Source Network Address:
IP_Address

Sourc
e Port:
Port_Number

Note

Sometimes, the strange characters that appear in this event message may resemble
the following characters:

Ðù²

You may also receive an error message that resembles the following when you try to debug
a Microsoft ASP.NET project in

Microsoft Visual Studio 2003:

Error while trying to run project: Unable to start debugging on the web server. You do not
have permissions to debug the server.


Verify that you are a member of the 'Debugger Users' group on the server.

Note

The word "Web"

is incorrectly capitalized in this error message.


Calls that are made from a Web service do not result in an HTTP 401 message in the IIS
logs. An HTTP 401 message may be noted in the Description section of an Error event for an
application that uses a We
b service. For example, this behavior may occur for Microsoft
Commerce Server 2002. If this behavior occurs, it is a symptom of a change that is made
by Microsoft Windows Server 2003 Service Pack 1 (SP1) and the loopback check security
feature.

CAUSE


This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft
Windows Server 2003 Service Pack 1 (SP1). Windows
XP SP2 and Windows Server 2003
SP1 include a loopback check security feature that is designed to help prevent reflection
attacks on your computer. Therefore, authentication fails if the FQDN or the custom host
header that you use does not match the local c
omputer name.

WORKAROUND


Important

This section, method, or task contains steps that tell you how to modify the
registry. However, se
rious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up
the registry before you modify it. Then, you can restore the registry if a problem occurs. For
more

information about how to back up and restore the registry, click the following article
number to view the article in the Microsoft Knowledge Base:

322756


How to back up and restore the registry in Windows

To work around this issue, use one of the following methods.

Method 1: Specify host names

Note

We recommend that you use this method.


To specify the host names that are mapped to the loopback address and

can connect to
Web sites on your computer, follow these steps:

1.

Click
Start
, click
Run
, type
regedit
, and then click
OK
.

2.

In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
Control
\
Lsa
\
MSV1_0

3.

Right
-
click
MSV1_0
, point to
New
, and then click
Multi
-
String Value
.

4.

Type
BackConnectionHostNames
, and then press ENTER.

5.

Right
-
click
BackConnectionHostNames
, and then click
Modify
.

6.

In the
Value data

box, type the host name or the host names for the sit
es that are
on the local computer, and then click
OK
.

7.

Quit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check

Follow these steps:

1.

Click
Start
, click
Run
, type
regedit
, and then click
OK
.

2.

In Registry Editor, loc
ate and then click the following registry key:

HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
Control
\
Lsa

3.

Right
-
click
Lsa
, point to
New
, and then click
DWORD Value
.

4.

Type
DisableLoopbackCheck
, and then press ENTER.

5.

Right
-
click
DisableLoopbackCheck
, and then

click
Modify
.

6.

In the
Value data

box, type
1
, and then click
OK
.

7.

Quit Registry Editor, and then restart your computer.

STATUS


This behavior is by design.

MORE INFORMATION


After you install security update 957097, applications such as Microsoft SQL Server or IIS
may fail when they make local NTLM authentication requests.

For more information about
how to resolve this issue, click the following article number to view the article in the
Microsoft Knowledge Base:

957097


MS08
-
068: Vulnerability in SMB could allow remote code execution

For more information about how to resolve this issue, see the "Known issues with this
security update" section of security update 957097.