Article ID: 941095
Article Last Modified on 8/29/2007
APPLIES TO
- Microsoft Office Communications Server 2007 Enterprise Edition, when used with:
- Microsoft Windows Server 2003 Service Pack 1
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
SYMPTOMS
In the Microsoft Office Communications Server 2007 Microsoft Management Console (MMC) snap-in, you run the Communications Server 2007 Validation Wizard to validate the Web Components Server. When the validation process is complete, you receive error messages that resemble the following error message:
Note In this error message, PoolFQDN represents the fully qualified domain name (FQDN) of the enterprise pool.
This behavior occurs if the following conditions are true:
- You have a server that is running Windows Server 2003 Service Pack 1 (SP1).
- On the Validation steps page of the Validation Wizard, you click to select the Validate Local Server Configuration check box and the Validate Connectivity check box.
CAUSE
This behavior occurs because the Validation Wizard uses the FQDN of the Communications Server 2007 enterprise pool to access the Group Expansion virtual server and the Address Book Server (ABS) virtual server.
Note The Group Expansion virtual server and the ABS virtual server are on the Communications Server 2007 server that is hosting the Web Components Server.
Windows Server 2003 SP1 includes a loopback check security feature. This feature prevents reflection attacks on your computer. Therefore, if the FQDN or the custom host header does not match the local computer name, authentication fails.
Note Windows XP Service Pack 2 (SP2) also includes the loopback check security feature.
WORKAROUND
To work around this behavior, use one of the following methods.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Method 1: Disable the loopback check security feature
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
Note If you do not want to disable the loopback check security feature, use Method 2.
To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - Right-click the Lsa registry subkey, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor, and then restart the computer.
Method 2: Add the host names of the Group Expansion virtual server and of the ABS virtual server to the registry
To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 - Right-click the MSV1_0 registry subkey, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host names of the Group Expansion virtual server and of the ABS virtual server, and then click OK.
Note Make sure that you separate the host names by using a comma (,). - Exit Registry Editor, and then restart the IISAdmin service.
STATUS
This behavior is by design.
MORE INFORMATION
The error messages that are mentioned in the "Symptoms" section indicate that the Validation Wizard cannot validate the Group Expansion virtual server and the ABS virtual server. However, when this behavior occurs, you can successfully access the Group Expansion virtual server and the ABS virtual server.
To access the Group Expansion virtual server, enter the following URL in the address bar of a local Web browser on the Communications Server 2007 server:
To access the ABS virtual server, enter the following URL in the address bar of a local Web browser on the Communications Server 2007 server:
For more information about error 401.1, click the following article number to view the article in the Microsoft Knowledge Base:
896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
Keywords: kbexpertiseadvanced kbtshoot kbprb KB941095
