This has been plaguing me for a while, but it hasn’t ever been a showstopper until this past week. I have a site that uses Integrated Windows Authentication, and it works just fine remotely, however if I try to hit the site locally the login always fails. When I look in the Event Viewer Security logs, they are always clean. (Yes, I have auditing on) I tried giving everyone full control and that didn’t fix it. As a matter of fact, I tried so many different things I forget what I did try. Finally, I IM’d Scott Forsyth to see if he could give me a hand. He knew immediately what it was and was able to give me a link to fix the problem.
It turns out that the problem was caused by installing SP1 on Server 2003 or SP2 on XP. The service packs install a loopback check security feature to help prevent reflection attacks on your computer. Here is the link to the solution: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Method 1: Disable the loopback check
Follow these steps:
| 1. | Click Start, click Run, type regedit, and then click OK. |
| 2. | In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa |
| 3. | Right-click Lsa, point to New, and then click DWORD Value. |
| 4. | Type DisableLoopbackCheck, and then press ENTER. |
| 5. | Right-click DisableLoopbackCheck, and then click Modify. |
| 6. | In the Value data box, type 1, and then click OK. |
| 7. | Quit Registry Editor, and then restart your computer. |
Method 2: Specify host names
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
| 1. | Click Start, click Run, type regedit, and then click OK. |
| 2. | In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 |
| 3. | Right-click MSV1_0, point to New, and then click Multi-String Value. |
| 4. | Type BackConnectionHostNames, and then press ENTER. |
| 5. | Right-click BackConnectionHostNames, and then click Modify. |
| 6. | In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK. |
| 7. | Quit Registry Editor, and then restart the IISAdmin service. |
If you do Method 1 you do not have to reboot your machine and it takes effect immediately.
Many thanks to Scott for showing me the solution to this irritating problem.
Robba