When configuring NTLM in an enterprise you may get error message like this one:
”Authentication error HTTP 401” (sometimes 401.1). Depending on the client you use this error can be shown for example in the browser if you try to access some page on some site which is hosted at your web server. For example the web site could be Share Point or some custom web application.
More over this error can also occur by trying to access the web service hosted in IIS.
If you take a look in the security event log following error event can be found:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number
If you use Service Trace Viewer this error will appear:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.
As you see the service expect NTLM, the client sends NTLM and the request will be rejected.
This happens when you try to access a server (web app, web service etc.) locally by using its fully qualified domain name (FQDN) or its CNAME alias in the following Universal Naming Convention (UNC) path. When you try to access the service from some other machine all should work fine if your application does not invoke some other service which is possibly physically hosted at the same machine.
Calls that are made from a Web service to other service do not result in this case in an HTTP 401 message in the IIS logs. An HTTP 401 message may be (but not always) noted in the Description section of an Error event for an application that uses a Web service. In this case the calling service will write the error in the trace file if activated at all.
What is the issue?
Windows Server 2003 SP1 introduced a concept of loopback security check. This feature is also present in Windows Server 2008 and was present since in XP SP2. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application.
|
Unfortunately error code 401.1 is not helpful as this error code means there is a problem with the user credentials.
Fix
Method 1: Specify host names
Note We recommend that you use this method.
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Examples: www.daenet.eu, currencyserver.de
Method 2: Disable the loopback check
Follow these steps:
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create the value DisableLoopbackCheck and enter 1 in the Value data box, and then click OK.
Do not forget to restart machine!
In Context of WCF
This problem can easily be worked around even without fixes shown above. All you have to do is to add the default host header to the application. The problem is when you host more applications on one box. In this case you cannot share default host header across multiple applications.
Additionally by using of WCF web services it is not allowed to define two host headers for one service. This would implicitly cause service host to create two endpoints on the same scheme (http) and the service will fail on start up.
Related links:
http://support.microsoft.com/kb/896861
http://support.microsoft.com/kb/960859
Posted
Aug 28 2009, 02:30 PM
by
Damir Dobric