Fix 401.1 Error when browsing a website using integrated authentication directly from the server

Tray896Systems Engineer
CERTIFIED EXPERT
Published:
Updated:
Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no issues.  But if I tried to hit it within a browser on the server or browsed directly from IIS, I encountered a login prompt that I couldn't get past.  Even with my domain admin credentials I could not get past the login prompt, and after three attempts I was met with a 401.1 which IIS told me was due to invalid credentials.  But if my credentials were really invalid, why would it work just fine from my laptop with those same credentials?

  image-2-603c5207-thumb1.png

  image-4-603c5207-thumb1.png

After looking in the event logs, I found multiple entries for event ID 537 in the security log.  Notice the odd characters listed for the Logon Process.

  image-thumb6.png

After doing quite a bit of digging through Google I finally came across this article ( http://support.microsoft.com/kb/896861 ) which explains that this behavior is actually caused by a security feature that was introduced with SP1 for Windows Server 2003.  The cause of the errors is a loopback security check that was introduced in order to prevent reflection attacks. With this loopback check in place, you will be unable to authenticate to any site using windows authentication locally from the server.

Moving forward you have a couple of different options.  You could perform all testing from somewhere other than the server so that you'll never run into this issue.  Personally, I like to be able to test my web sites directly from the server for various reasons which make the troubleshooting process a little easier in my opinion (detailed error messages, debugging, etc).  In our environment, we never use Windows Authentication anywhere but our internal network which is well protected from outside users attempting to perform malicious attacks.  Therefore I decided to just disable this security feature for the particular server I was troubleshooting this on.  To do that, make the following changes to the registry and reboot the server to put them into effect.

   1. Click Start, click Run, type regedit, and then click OK.
   2. In Registry Editor, locate and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   3. Right-click Lsa, point to New, and then click DWORD Value.
   4. Type DisableLoopbackCheck, and then press ENTER.
   5. Right-click DisableLoopbackCheck, and then click Modify.
   6. In the Value data box, type 1, and then click OK.
   7. Quit Registry Editor, and then restart your computer.

That's all there is to it.  You'll now be able to browse sites using integrated security directly from the server any time you need to.
3
12,202 Views
Tray896Systems Engineer
CERTIFIED EXPERT

Comments (5)

I encounter a similar dialogue when trying to upload a file from my work computer, such as when loading an attachment in Gmail. It occurs in Firefox but not IE. I wonder if it's related...

Anyhow, good article. I'm sure it'll come in handy for someone. You obviously care enough about your spelling and grammar to write it in a word editor before pasting it here, so that's good, but you might want to fix the encoding errors producing those weird symbols in your article everywhere an apostrophe should be. (P1 - "Couldn't", P3 - "You'll", P5 - "That's, and You'll)

Cheers,

Alain
Tray896Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Thanks alain, I hadn't even noticed those.  I've resubmitted and corrected the special characters.

Commented:
Tray,

Were you browsing via the localhost?

Does a direct IP work?

Often on a webserver there will be restrictions for localhost. If you setup an additional host header with the specfic IP of the machine and port and browse via that you can often overcome these restrictions. I always perfer this to localhost access.

I haven't check for this case but it is likely to work.

hth
Tray896Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Hey Rovastar.  This issue will happen locally on the server whether you use localhost or the actual registered domain name.  You can read more about it here: http://support.microsoft.com/kb/896861

Commented:
Brilliant - I have been struggling with this annoyance for months and stumbled across your fix while looking for something else. Its hard to believe that a "by design" MS change results in non printing characters being displayed in the secuity log, though, isnt it!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.