2013-02-07

Windows authentication fails on local site (0xc000006d)

When trying to log in via windows authentication, against a local site, I got a 401.1 Unauthorized error. This was unexpected since the site was a copy from another local site where the log in was working fine. By comparing the IIS settings they seemed to be duplicates.
The sweet 401.1 error message
One thing that differed though was that my newly copied site had a FQDN ("mirrorsource") with a corresponding entry in the HOSTS file, where as the original site URL was localhost. And after some digging I found this is by design an IIS issue with the purpose of handling reflection attacks.
HOSTS
Quoting a Microsoft KB,
"This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name."

The solution is some registry hacking to avoid loopback check:
  1. Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  2. Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames
  3. Add the host names you wish to use. In my case, "mirrorsource".
  4. Restart the IIS.
The registry entry should look something like this.

1 comment:

  1. Thank you this helped at one of my customer servers but not at the other customer server. Same problem is there.

    ReplyDelete