Friday, April 17, 2015

You need to type your username and password when browsing website directly from the IIS Server, but from another client computer it work normally

You are in your office, you login to Windows Server that host IIS, and browse a hosted website which is Windows Authentication Enabled using the configured host header "Lets say the website Host Header is CompanyProtal".
You are prompted to type your username and password.
You open your client computer and try to access the same site by using the configured host header, and the site work correctly without having to write your username and password.

In a close look to Windows Security Event Log you will see a failed login event recorded
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

If you try to bind the site with IP address (Not loopback address)it will work as expected.

So whats going on?
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

So do you need it?
The recommendation is yes, but for some reason you may need to turn it off, maybe some websites are communicating on the server using the some custom host header.

How to Disable it.
Like most of Microsoft tweaks, its a registry value that you change.

There are 2 type to workaround:
1- Recommended which to specify the host names
2- Totally disable the loopback check (Not recommended).

So Lets start
Method 1: Specify host names (Preferred method if NTLM authentication is desired)
https://support.microsoft.com/en-us/kb/896861

  1. Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  2. Right-click MSV1_0 and select New->Multi-String Value.
  3. Type “BackConnectionHostNames” as the name and press Enter.
  4. Right-click the newly created entry and select Modify.
  5. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK
  6. Quit Registry Editor, and then restart the IISAdmin service.



Method 2:
This method will totally disable the loopback back and its not recommended in your production, you may use it in development or testing environment 
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value.
  5. Type DisableLoopbackCheck, and then press ENTER.
  6. Right-click DisableLoopbackCheck, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Quit Registry Editor, and then restart your computer
Or use Powershell Command 

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword


Hope that help


No comments: