Article ID: 926642 - View products that this article applies to.
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
Consider the following scenario. You install Microsoft Windows Server 2003 Service Pack 1 (SP1) on a Windows Server 2003-based computer. After you do this, you experience authentication issues when you try to access a server locally by using its fully qualified domain name (FQDN) or its CNAME alias in the following Universal Naming Convention (UNC) path:
\\servername\sharenameIn this scenario, you experience one of the following symptoms:
This problem occurs because Windows Server 2003 SP1 includes a new security feature named loopback check functionality. By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the value of the DisableLoopbackCheck registry entry is set to 0 (zero).
Note The loopback check functionality is stored in the following registry subkey:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
To resolve this problem, set the DisableStrictNameChecking registry entry to 1. This procedure is described in the Knowledge Base article 281308 that is mentioned in the "References" section. Then use either of the following methods, as appropriate for your situation.
Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication requestTo do this, follow these steps for all the nodes on the client computer:
Method 2: Disable the authentication loopback checkRe-enable the behavior that exists in Windows Server 2003 by setting the DisableLoopbackCheck registry entry in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registrysubkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
After you install security update 957097, applications such as SQL Server or Internet Information Services (IIS) may fail when making local NTLM authentication requests. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
957097See the "Known issues with this security update" section of KB article 957097 for details about how to resolve the issue.
(http://support.microsoft.com/kb/957097/ )MS08-068: Vulnerability in SMB could allow remote code execution
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/281308/ )Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
Article ID: 926642 - Last Review: February 26, 2009 - Revision: 2.2