windows:servers:sharepoint:resolve_this_by_editing_the_registry

HTTP 401.1 workaround on IIS 5.1 (or later) when using Integrated Authentication

So! You've set out to dabble into SharePoint Dark Arts eh!? And You've managed to get it up and running on Your own? Hats of to You Sir! But then You've setup Your first Site Collection and all hell broke loose because You simply can't access the darn thing! You get a “HTTP 401.1 - Unauthorized: Logon Failed” and You're just about to give up and Google all over the place or scour TechNet like there's no tomorrow? Hold yer horses amigo - we've gots just the solution You've been diggin' fer!

The solution is simple and elegant because it's not much more then a security measure used by Microsoft since the early day of IIS 5.1 and onwards.

Now then THE EXPLANATION:

When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed NOTE: You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

THE CAUSE:

This is called a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

And (of course) THE (RE)SOLUTION:

You have two options, both which require some fiddling in the Registry and they are:

OPTION A:

Specify host names (preferred when using NTLM Authentication) Create the BackConnectionHostNames Multi-String Value with all the host names You wish to except typed into the Value data box like bellow:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"RegConnectionHostNames"="example.com example2.com example3.com"

OPTION B:

You can just completely disable this function but if You're doing this on a WWW server and You aint in a DMZ with the machine - don't come back here and moan about being hacked or whateversometinhglikethat ;)) Create the following DWORD in the Registry and set Value to 1 like down under:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"="1"

And there You have it. It's an old trick but lots of folks just seem to forget about it or haven't yet been inducted into the IIS world properly. Anyhow - no biggie, eh? ;)

  • windows/servers/sharepoint/resolve_this_by_editing_the_registry.txt
  • Last modified: 2019/10/31 09:14
  • by 127.0.0.1