Mapping host headers causes looping Windows Authentication

A new feature added to Windows Server 2003 SP1 and Windows XP SP2 (Loopback check security, that helps mitigate reflection attacks). If you configure an IIS site to use a host header and configure that site to use windows integrated authentication, you may have experienced problems logging in to the site.

The symptoms can include:

  • IIS prompting for credentials event though you are logged into the domain and have configured IE to pass credentials automatically.
  • Not being able to log into the site no matter what username/password you use
  • Getting HTTP 404.1 when trying to access the site
  • Authentication events in the security event log like Event ID 537 : An error occurred during logon

A detailed description of the issue can be found at: http://support.microsoft.com/?kbid=896861

To resolve the issue you can either turn off the loopback check on the entire server or indicate which host header map back to the local loopback address. (I have found that only the disabling solved my issues).

Method 1: Disable Loopback Checking

  • open regedit
  • Find HKLM\System\CurrentControlSet\Control\Lsa
  • Create a new DWORD value called DisableLoopbackCheck and give it a value of 1
  • Restart the computer

Method 2: Specify Host Names

  • Open regedit
  • Find HKLM\system\CurrentControlSet\Control\Lsa\MSV1_0
  • Create a new multi-string value called BackConnectionHostNames
  • Add the host headers to this value that map back to the local loopback
  • Restart your computer
Advertisements

One Response to Mapping host headers causes looping Windows Authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: