HTTP 401.1 - Unauthorized: Logon Failed

When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:

HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

Note Sometimes, the strange characters that appear in this event message may resemble the following characters:
Ðù²
You may also receive an error message that resembles the following when you try to debug a Microsoft ASP.NET project in Microsoft Visual Studio 2003:
Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server.

Verify that you are a member of the 'Debugger Users' group on the server.
Note The word "Web" is incorrectly capitalized in this error message.

Calls that are made from a Web service do not result in an HTTP 401 message in the IIS logs. An HTTP 401 message may be noted in the Description section of an Error event for an application that uses a Web service. For example, this behavior may occur for Microsoft Commerce Server 2002. If this behavior occurs, it is a symptom of a change that is made by Microsoft Windows Server 2003 Service Pack 1 (SP1) and the loopback check security feature.

Cause :

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name. 

Workaround :

 Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

There are two methods to work around this issue, use one of the following methods, as appropriate for your situation.

Method 1: Specify host names (Preferred method if NTLM authentication is desired)

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
  1. Set the
    DisableStrictNameChecking
    registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
  2. Click Start, click Run, type regedit, and then click OK.
  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  4. Right-click MSV1_0, point to New, and then click Multi-String Value.
  5. Type BackConnectionHostNames, and then press ENTER.
  6. Right-click BackConnectionHostNames, and then click Modify.
  7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  8. Quit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check (less-recommended method)

The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.

To set the DisableLoopbackCheck registry key, follow these steps:
  1. Set the
    DisableStrictNameChecking
    registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
  2. Click Start, click Run, type regedit, and then click OK.
  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value.
  5. Type DisableLoopbackCheck, and then press ENTER.
  6. Right-click DisableLoopbackCheck, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Quit Registry Editor, and then restart your computer.
Location: India

Comments

Post a Comment

Popular posts from this blog

"There's a configuration problem preventing us from getting your document. If possible, try opening this document in Microsoft Word." Office WebApp Error

Problem: When Opening a word document I get the following error when Office Web Apps tries to render the document " There's a configuration problem preventing us from getting your document. If possible, try opening this document in Microsoft Word. " Initial Hypothesis: Check the ULS logs on the Web Front End (SharePoint Server) as this doesn't tell me much.  I found the following issue in my UL S: WOPI (CheckFile) - Invalid Proof Signature for file SandPit Environment Setup.docx url: http://web-sp2013-uat.demo.dev/Docs/_vti_bin/wopi.ashx/files/6d0f38c0d5554c87a655558da9cedcad?access_token... Resolution: Run the following PS> Update-SPWOPIProofKey -ServerName "wca-uat.demo.dev" More Info: http://technet.microsoft.com/en-us/library/jj219460.aspx
Continue Read

"Sorry, Word Web App can't open this ... document because the service is busy." Office WebApp

Problem: Intermitten requests are not returning the pdf/word documents.  Most requests are working and occasionally 1 request doesn't work.  Every 4th request tries to get the pdf to display on Office Web Apps for a few minutes without any error message and then stops trying and displays the message "Sorry, Word Web App can't open this ... document because the service is busy." Initial Hypothesis: Originally I thought it was only happening to pdfs but it is happening to word and pdf documents (I don't have excel docs in my system).  My monitoring software SolarWinds is badly configured on my OWA servers as the monitor is showing green, drining into the servers monitoring the 2 application monitors are failing.  The server should go amber if either of the 2 applications fail and in turn red after 5 minutes.  At this point I notice that I can't log onto my 4 OWA/WCA server.  Web request are not being returned.  I look at my KEMP load balancer and it says al
Continue Read

Unable to create a "Send to Connection"- verification failed -url is a not a valid routing destination

ISSUE : Unable to successfully create a send to connection. When creating the Send to connection from Sharepoint 2010 Central Administration and click on Test URL for the Destination URL , we get the following error "verification failed -url is a not a valid routing destination" we see the following entry in the ULS logs Url validation failed for http://gmallya.test.com/sites/testrecordcenter/_vti_bin/OfficialFile.asmx   during Record and document center connection configuration with exception The request failed with HTTP status 401: Unauthorized .:  at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)     at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)     at Microsoft.SharePoint.OfficialFileSoap.GetServerInfo()     at Microsoft.SharePoint.ApplicationPages.OfficialFileAdminPage.<>c__DisplayClass2.&l
Continue Read