Microsoft KB Archive/896861

= You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6 =

Article ID: 896861

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0, when used with:
 * Microsoft Windows Server 2003 Service Pack 1
 * Microsoft Internet Information Services 5.1, when used with:
 * Microsoft Windows XP Service Pack 2
 * Microsoft Visual Studio .NET 2003 Enterprise Architect
 * Microsoft Visual Studio .NET 2003 Enterprise Developer

-



Notice
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista



SYMPTOMS
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:

HTTP 401.1 - Unauthorized: Logon Failed

This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry: Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 537

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description: Logon Failure:

Reason: An error occurred during logon

User Name:

Domain:

Logon Type: 3

Logon Process: Ðùº

Authentication Package: NTLM

Workstation Name:

Status code: 0xC000006D

Substatus code: 0x0

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address:

Source Port:

Note Sometimes, the strange characters that appear in this event message may resemble the following characters:

Ðù²

You may also receive an error message that resembles the following when you try to debug a Microsoft ASP.NET project in Microsoft Visual Studio 2003:

Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server.

Verify that you are a member of the 'Debugger Users' group on the server.

Note The word &quot;Web&quot; is incorrectly capitalized in this error message.

Calls that are made from a Web service do not result in an HTTP 401 message in the IIS logs. An HTTP 401 message may be noted in the Description section of an Error event for an application that uses a Web service. For example, this behavior may occur for Microsoft Commerce Server 2002. If this behavior occurs, it is a symptom of a change that is made by Microsoft Windows Server 2003 Service Pack 1 (SP1) and the loopback check security feature.



CAUSE
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.



WORKAROUND
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this issue, use one of the following methods.

Method 1: Disable the loopback check
Follow these steps:  Click Start, click Run, type regedit, and then click OK. In Registry Editor, locate and then click the following registry key:

 

 Right-click Lsa, point to New, and then click DWORD Value. Type DisableLoopbackCheck, and then press ENTER. Right-click DisableLoopbackCheck, and then click Modify. In the Value data box, type 1, and then click OK.</li> Quit Registry Editor, and then restart your computer.</li></ol>

Method 2: Specify host names
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> In Registry Editor, locate and then click the following registry key:

 

</li> Right-click MSV1_0, point to New, and then click Multi-String Value.</li> Type BackConnectionHostNames, and then press ENTER.</li> Right-click BackConnectionHostNames, and then click Modify.</li> In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.</li> Quit Registry Editor, and then restart the IISAdmin service.</li></ol>

<div class="status_section">

STATUS
This behavior is by design.

<div class="references_section">