Wednesday, March 18, 2009

401.1 Errors with Reporting Services and CNAMES in Windows 2003 SP1

The first part of this is a republish from an earlier 401.1 post, but this also relates to Reporting Services with CNAMEs. So, rather than a lot of jumping around, I’ve decided to just post the duplicate to make this resolution easier. Keep in mind that I’ve added the step to reboot the server after each step. If you are doing all three, wait until the end to reboot and mitigate your downtime.

The first error is the 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6. This pertains to Microsoft Windows Server 2003 Service Pack 1 (SP1) which included a loopback check security feature designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Resolution: Disable the loopback check
Follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer

The next problem is when a client computer connects to a Microsoft Windows Server 2003-based computer by using an alias name, the client may receive additional 401.1 errors or something like:

System error 52 has occurred.
A duplicate name exists on the network.

This problem can occur when you try to connect to the server by using a CNAME alias that is created in the DNS zone. The server is not "listening" on the alias, and therefore is not accepting connections to that name.

Resolution: Disable Strict name Checking
Follow these steps:
1. Start Registry Editor (Regedt32.exe).
2. Locate and click the following key in the registry:
3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
4. On the Edit menu, click Add Value, and then add the following registry value:
5. Value name: DisableStrictNameChecking
6. Data type: REG_DWORD
7. Radix: Decimal
8. Value: 1
9. Quit Registry Editor.
10. Restart your computer.

For Reporting Services using cname, you need to do these last steps:

Edit the RSWebApplication.config file to update the report server URL, that Report Manager uses to connect to the report server:

Delete the default entry in ReportServerVirtualDirectory
Type the new URL using host headers in ReportServerURL
The configuration should look like this:


Edit the reportserver.config file to update the report server URL, that Report Server uses to connect:
Replace the URLRoot tag with the CNAME
The configuration should look like this:



  1. Alternatively, if you do not want to disable the Loopback security check, you can add the following key under LSA:

    BackConnectionHostNames (REG_MULTI_SZ) and add each website you want to be able to access there, one on each line.


    etc etc