- The user receives an "Access denied" error message when the user tries to access a Web page that retrieves data from a back-end database.
- The user cannot connect to another database server that is located in a Network Load Balancing (NLB) cluster. Queries to the database server fail.
Important By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the DisableLoopbackCheck registry entry is set to 0 (zero). The security is reduced when you disable the authentication loopback check, and you open the Windows Server 2003 server for man-in-the-middle (MITM) attacks on NTLM. To avoid MITM attacks, the value of registry entry should be returned to zero (0) after the SPN changes are made. Also, method 1 is the preferred solution.
Method 1: Create the Local Security Authority host names that can be referenced in an NTLM authentication request (preferred)
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, point to
New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click
- Exit Registry Editor, and then restart the server for this change to take effect.
Method 2: Disable the authentication loopback check and register the SPN with the account that the service runs underTo resolve this issue, disable the authentication loopback check, and then register the SPN with the account that the service runs under. To do this, set the DisableLoopbackCheck entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1, and then determine the name of the SPN.
Step 1: To set the DisableLoopbackCheck registry entry to 1
- Click Start, click Run, type regedit, and then click
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click DisableLoopbackCheck, and then click Modify.
- Type 1 in the Value data box, and then click OK.
Step 2: To determine the name of the SPN
- Add the following registry entries, and then set each registry entry to the appropriate value as follows:
- Locate and then click the registry subkey where you want to add the registry entry.
- On the Edit menu, point to
New, and then click DWORD Value.
- Type the name of the registry entry that you want to add, and then press ENTER.
- Right-click the registry entry that you added in step 2c, and then click Modify.
- Type the appropriate value for that registry entry, and then click OK.
- Repeat step 2a through 2e for each registry entry that you want to add.
- Quit Registry Editor.
- Restart the computer, and then reproduce the issue. After you do this, an event ID error message that is similar to the following is logged in the System log: Type: ErrorDetermine the SPN from the event ID error message. In this example, the SPN is MSSQLSvc/DomainName.com:1433.
Event ID: 3
Description: A Kerberos Error Message was received:
on logon session
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Server Realm: DomainName.com
Server Name: MSSQLSvc/DomainName.com:1433
Target Name: MSSQLSvc/ServerName.DomainName:1433@DomainName.com
Error Data is in record data.
Step 3: Use the Setspn.exe command-line tool to register the SPN to the appropriate service accountIn IIS 6.0, the service account is typically the account that the WWW service runs under or the account that the application pool uses. In Microsoft SQL Server 2000, the service account is the account that SQL Server 2000 runs under. Use the following syntax to add a new SPN:
The following is an example of how to use the Setspn.exe command-line tool to add an SPN:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
After you install security update 957097, applications such as SQL Server or Internet Information Services (IIS) may fail when making local NTLM authentication requests.
For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base: