On Windows Server 2003 SP1, if you configure an IIS site to use a host header and configure that site to use windows integrated authentication, you may have experienced problems logging in to the site.
The symptoms can include:
- IIS prompting for credentials event though you are logged into the domain and have configured IE to pass credentials automatically.
- Not being able to log into the site no matter what username/password you use
- Getting HTTP 404.1 when trying to access the site
- Authentication events in the security event log like Event ID 537 : An error occurred during logon
If you have encountered these problems, your issues may be related to a new feature added to Windows Server 2003 SP1 and Windows XP SP2. The feature at fault is the Loopback check security feature that helps mitigate reflection attacks that was added to the operating system in these service pack releases. A detailed description of the issue can be found at: http://support.microsoft.com/?kbid=896861
To resolve the issue you can either turn off the loopback check on the entire server or indicate which host header map back to the local loopback address.
Method 1: Disable Loopback Checking
- open regedit
- Find HKLM\System\CurrentControlSet\Control\Lsa
- Create a new DWORD value called DisableLoopbackCheck and give it a value of 1
- Restart the computer
Method 2: Specify Host Names
- Open regedit
- Find HKLM\system\CurrentControlSet\Control\Lsa\MSV1_0
- Create a new multi-string value called BackConnectionHostNames
- Add the host headers to this value that map back to the local loopback
- Restart your computer