<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Fix 401.1 Error when browsing a website using integrated authentication directly from the server

Published on
18,378 Points
11,078 Views
3 Endorsements
Last Modified:
Approved
Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no issues.  But if I tried to hit it within a browser on the server or browsed directly from IIS, I encountered a login prompt that I couldn't get past.  Even with my domain admin credentials I could not get past the login prompt, and after three attempts I was met with a 401.1 which IIS told me was due to invalid credentials.  But if my credentials were really invalid, why would it work just fine from my laptop with those same credentials?

 image-2-603c5207-thumb1.png

 image-4-603c5207-thumb1.png

After looking in the event logs, I found multiple entries for event ID 537 in the security log.  Notice the odd characters listed for the Logon Process.

 image-thumb6.png

After doing quite a bit of digging through Google I finally came across this article ( http://support.microsoft.com/kb/896861 ) which explains that this behavior is actually caused by a security feature that was introduced with SP1 for Windows Server 2003.  The cause of the errors is a loopback security check that was introduced in order to prevent reflection attacks. With this loopback check in place, you will be unable to authenticate to any site using windows authentication locally from the server.

Moving forward you have a couple of different options.  You could perform all testing from somewhere other than the server so that you'll never run into this issue.  Personally, I like to be able to test my web sites directly from the server for various reasons which make the troubleshooting process a little easier in my opinion (detailed error messages, debugging, etc).  In our environment, we never use Windows Authentication anywhere but our internal network which is well protected from outside users attempting to perform malicious attacks.  Therefore I decided to just disable this security feature for the particular server I was troubleshooting this on.  To do that, make the following changes to the registry and reboot the server to put them into effect.

   1. Click Start, click Run, type regedit, and then click OK.
   2. In Registry Editor, locate and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   3. Right-click Lsa, point to New, and then click DWORD Value.
   4. Type DisableLoopbackCheck, and then press ENTER.
   5. Right-click DisableLoopbackCheck, and then click Modify.
   6. In the Value data box, type 1, and then click OK.
   7. Quit Registry Editor, and then restart your computer.

That's all there is to it.  You'll now be able to browse sites using integrated security directly from the server any time you need to.
3
Author:Tray896
5 Comments
LVL 21

Expert Comment

by:alainbryden
I encounter a similar dialogue when trying to upload a file from my work computer, such as when loading an attachment in Gmail. It occurs in Firefox but not IE. I wonder if it's related...

Anyhow, good article. I'm sure it'll come in handy for someone. You obviously care enough about your spelling and grammar to write it in a word editor before pasting it here, so that's good, but you might want to fix the encoding errors producing those weird symbols in your article everywhere an apostrophe should be. (P1 - "Couldn't", P3 - "You'll", P5 - "That's, and You'll)

Cheers,

Alain
0
LVL 15

Author Comment

by:Tray896
Thanks alain, I hadn't even noticed those.  I've resubmitted and corrected the special characters.
0
LVL 17

Expert Comment

by:Rovastar
Tray,

Were you browsing via the localhost?

Does a direct IP work?

Often on a webserver there will be restrictions for localhost. If you setup an additional host header with the specfic IP of the machine and port and browse via that you can often overcome these restrictions. I always perfer this to localhost access.

I haven't check for this case but it is likely to work.

hth
0
LVL 15

Author Comment

by:Tray896
Hey Rovastar.  This issue will happen locally on the server whether you use localhost or the actual registered domain name.  You can read more about it here: http://support.microsoft.com/kb/896861
0
LVL 1

Expert Comment

by:FergusStokes
Brilliant - I have been struggling with this annoyance for months and stumbled across your fix while looking for something else. Its hard to believe that a "by design" MS change results in non printing characters being displayed in the secuity log, though, isnt it!
0

Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

A query can call a function, and a function can call Excel, even though we are in Access. This is Part 2, and steps you through the VBA that "wraps" Excel functionality so we can use its worksheet functions in Access. The declaration statement de…
Make it easier to see the current record on your Microsoft Access forms! To highlight the current record with a yellow background color, use Conditional Formatting, a control to keep track of the primary key value, a control to change color, and a l…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month