Microsoft KB Archive/914060

From BetaArchive Wiki

Article ID: 914060

Article Last Modified on 10/11/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003 SP1


Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SYMPTOMS

If the following conditions are true, you may receive a logon window that prompts you for credentials:

  • You try to browse the virtual Network Load Balancing (NLB) cluster name.
  • You use a server that is a member of the NLB cluster.
  • The NLB cluster is running Microsoft Windows Server 2003 Service Pack 1 (SP1).

After you type the appropriate credentials, you can view all shares, and you can access all shares. Also, you can browse the virtual NLB cluster name from any other client in the network without a problem.

CAUSE

This problem occurs because Windows Server 2003 SP1 includes a security feature that removes the last available authentication mechanism in NLB Manager. This security feature is an authentication loopback check that helps prevent man-in-the-middle (MITM) attacks on NTLM.

By default, loopback check functionality is turned on in Windows Server 2003 SP1. Also, the value of the DisableLoopbackCheck registry entry is set to 0 (zero).

WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To work around this problem, set the DisableStrictNameChecking registry entry to 1. Then, use one of the following methods, as appropriate.

For more information about how to modify the "DisableStrictNameChecking" registry entry, click the following article number to view the article in the Microsoft Knowledge Base:

281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name


Method 1: Create the Local Security Authority host names that can be referenced in an NTLM authentication request

Re-enable the behavior that exists in Windows Server 2003 by setting the DisableLoopbackCheck' registry entry in the following registry subkey to 1:'

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa


To do this, follow these steps on all NLB Nodes:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. Type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the host name that is used for the NLB cluster, and then click OK.
  7. Close Registry Editor, and then restart the computer.

Method 2: Disable the authentication loopback check

To do this, follow these steps for all the nodes:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. Right-click Lsa, point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Close Registry Editor, and then restart the computer.


REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name


926642 Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Keywords: kbtshoot kbprb KB914060



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/914060&oldid=219352
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki