Wednesday, February 18, 2009

401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

This is a problem that also happens when you programatically try to manupulate data utilizing web services, such as PSI. The error isn't always apparent right away or even with minimal useage on the system. But, if your farm gets hammered, it'll show up pretty quick. This will also cause things like Profile Synchronization, Indexing and Crawling to fail.

You may see an error that like these:
  • HTTP 401.1 - Unauthorized: Logon Failed
  • Event id 2436: Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content. (0x80041205)
  • Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled. (The item was deleted because it was either not found or the crawler was denied access to it.)
  • Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server. Verify that you are a member of the 'Debugger Users' group on the server.

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

The workaround for this issue is to disable the the loopback check or specifiy the host names. The following describes how these are accomplished, keeping in mind that Method 1 seems to be the best method with the best results:

Method 1: Disable the loopback check Follow these steps:

  • Click Start, click Run, type regedit, and then click OK.
  • In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  • Right-click Lsa, point to New, and then click DWORD Value
  • Type DisableLoopbackCheck, and then press ENTER
  • Right-click DisableLoopbackCheck, and then click Modify
  • In the Value data box, type 1, and then click OK
  • Quit Registry Editor, and then restart your computer

Method 2: Specify host names

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

  • Click Start, click Run, type regedit, and then click OK.
  • In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0Right-click MSV1_0, point to New, and then click Multi-String Value

  • Type BackConnectionHostNames, and then press ENTER
  • Right-click BackConnectionHostNames, and then click Modify
    In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK
  • Quit Registry Editor, and then restart the IISAdmin service

More information can be found here: http://support.microsoft.com/kb/896861

No comments:

Post a Comment