Article ID: 896861 - View products that this article applies to.
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
HTTP 401.1 - Unauthorized: Logon Failed
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:
Event Type: Failure Audit
Ðù²You may also receive an error message that resembles the following when you try to debug a Microsoft ASP.NET project in Microsoft Visual Studio 2003:
Note The word "Web" is incorrectly capitalized in this error message.
Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server.
Verify that you are a member of the 'Debugger Users' group on the server.
Calls that are made from a Web service do not result in an HTTP 401 message in the IIS logs. An HTTP 401 message may be noted in the Description section of an Error event for an application that uses a Web service. For example, this behavior may occur for Microsoft Commerce Server 2002. If this behavior occurs, it is a symptom of a change that is made by Microsoft Windows Server 2003 Service Pack 1 (SP1) and the loopback check security feature.
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
There are two methods to work around this issue, use one of the following methods, as appropriate for your situation.
Method 1: Specify host names (Preferred method if NTLM authentication is desired)To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
Method 2: Disable the loopback check (less-recommended method)The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.
To set the DisableLoopbackCheck registry key, follow these steps:
After you install security update 957097, applications such as Microsoft SQL Server or IIS may fail when they make local NTLM authentication requests. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
957097For more information about how to resolve this issue, see the "Known issues with this security update" section of security update 957097.
(http://support.microsoft.com/kb/957097/ )MS08-068: Vulnerability in SMB could allow remote code execution
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/926642/ )Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
(http://support.microsoft.com/kb/917664/ )Error message when you try to install Microsoft Operations Manager 2005 Reporting: "Error code: -2147467259 (Unspecified error)"
Article ID: 896861 - Last Review: April 26, 2010 - Revision: 12.0