When using Windows 2003 with integrated security and IIS 6 we receive a 401.1 error

Administration Installation
1

Issue

When using Windows 2003 with integrated security and IIS 6 we receive a 401.1 error.

Background

With Windows 2003 SP1 Microsoft introduced a loopback security feature that is designed to prevent reflection attacks. This will cause the authentication to fail if the FQDN (Fully Qualified Domain Name) or the custom host header that you use does not match the local computer name.

Solution

See the following Microsoft article for complete information: http://support.microsoft.com/kb/896861

Method 1: Specify host names (Preferred method if NTLM authentication is desired)

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

  1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, see the Microsoft Knowledge Base article Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name.
  2. Click **Start**, click **Run**, type **regedit**, and then click **OK**.
  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  4. Right-click **MSV1\_0**, point to **New**, and then click **Multi-String Value**.
  5. Right-click **BackConnectionHostNames**, and then click **Modify**.
  6. In the **Value data** box, type the host name or the host names for the sites that are on the local computer, and then click **OK**.

Method 2: Disable the loopback check (less-recommended method)

The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.

To set the DisableLoopbackCheck registry key, follow these steps:

  1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, see the Microsoft Knowledge Base article Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name.
  2. Click **Start**, click **Run**, type **regedit**, and then click **OK**.
  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  4. Right-click **Lsa**, point to **New**, and then click **DWORD Value**.
  5. Type **DisableLoopbackCheck**, and then press ENTER.
  6. Right-click **DisableLoopbackCheck**, and then click **Modify**.
  7. In the **Value data** box, type **1**, and then click **OK**.
  8. Quit Registry Editor, and then restart your computer.