Error message when you run the Communications Server 2007 Validation Wizard to validate the Web Components Server: "Received a failure HTTP response.: HTTP Response: 401 Unauthorized"

In the Microsoft Office Communications Server 2007 Microsoft Management Console (MMC) snap-in, you run the Communications Server 2007 Validation Wizard to validate the Web Components Server. When the validation process is complete, you receive error messages that resemble the following error message:Note In this error message, PoolFQDN represents the fully qualified domain name (FQDN) of the enterprise pool.

This behavior occurs if the following conditions are true:

• You have a server that is running Windows Server 2003 Service Pack 1 (SP1).
• On the Validation steps page of the Validation Wizard, you click to select the Validate Local Server Configuration check box and the Validate Connectivity check box.

This behavior occurs because the Validation Wizard uses the FQDN of the Communications Server 2007 enterprise pool to access the Group Expansion virtual server and the Address Book Server (ABS) virtual server.

Note The Group Expansion virtual server and the ABS virtual server are on the Communications Server 2007 server that is hosting the Web Components Server.

Windows Server 2003 SP1 includes a loopback check security feature. This feature prevents reflection attacks on your computer. Therefore, if the FQDN or the custom host header does not match the local computer name, authentication fails.

Note Windows XP Service Pack 2 (SP2) also includes the loopback check security feature.

To work around this behavior, use one of the following methods.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Method 1: Add the host names of the Group Expansion virtual server and of the ABS virtual server to the registry

To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click the MSV1_0 registry subkey, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host names of the Group Expansion virtual server and of the ABS virtual server, and then click OK.
   
   Note Make sure that you type each host name on a separate line.
7. Exit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check security feature

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Note If you do not want to disable the loopback check security feature, use Method 1.

To have us disable loopback check security for you, go to the "Fix it for me" section. If you would rather disable loopback check security yourself, go to the "Let me fix it myself" section.

Fix it for me

To disable loopback check security automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.



Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Let me fix it myself

To fix this problem yourself, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click the Lsa registry subkey, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit Registry Editor, and then restart the computer.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

After you install security update 957097, applications such as SQL Server or Internet Information Services (IIS) may fail when making local NTLM authentication requests. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
See the "Known issues with this security update" section of Microsoft Knowledge Base article 957097 for details about how to resolve the issue.

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

The error messages that are mentioned in the "Symptoms" section indicate that the Validation Wizard cannot validate the Group Expansion virtual server and the ABS virtual server. However, when this behavior occurs, you can successfully access the Group Expansion virtual server and the ABS virtual server.

To access the Group Expansion virtual server, enter the following URL in the address bar of a local Web browser on the Communications Server 2007 server:To access the ABS virtual server, enter the following URL in the address bar of a local Web browser on the Communications Server 2007 server: For more information about error 401.1, click the following article number to view the article in the Microsoft Knowledge Base: