Loopback check

This was a big problem for us and we didn’t notice this behavior for a long time.

The problem is as follows:
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

We use a third party component to generate PDF and this component runs with in the web application and it has to access the same application (loopback) to access the aspx pages to get the content and generate the PDF. This worked in the development machine. The developer has used “localhost” to access his server. It worked fine in our development environment too, because we have deployed our application as a virtual directory under default website. So when developer used http://localhost/ there were no errors. Everything was fine.

But things are different in integration and production environment. That environment is maintained by another team in a different country. The setup is different there. In Integration the application is deployed as a website and there are other sites hosted in the same server. Every site has default port as 80 and the request is resolved by using “custom host headers”. There fore http://localhost/ would not work.

After understanding this requirement, we changed the localhost to FQDN (in our case custom host header) hoping it would work. When we tested this in our development environment we started having problems. Authentication failed. We were checking here and there. No clues. All of a sudden accidently when we were accessing this server from different machine using FQDN there was no problem. Only then it occurred to us that FQDN fails only when it is accessed from the same machine. Bingo! After that a little bit of Googling made life easier.

To put it correctly: When you have windows server 2003 and use windows integrated authentication and use FQDN (or custom host header) to access the local website in IIS 6.0 you will get this problem. In other words you will only receive this error when you directly access the site from the local server. This might be a rare scenario but it will happen in some cases as I mentioned above.
1. You will be asked for username and password when you try to access the website using FQDN.
2. No matter how many times you enter username and password authentication fails.

It is a symptom of change from Microsoft 2003 Service Pack 1.
“This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.” Via

There is a work around for this problem. Fortunately Microsoft provides a way to disable the loopback check as given in the above link. We always follow the step 2. Note that the step2 needs the server to be restarted.

Method 2: Disable the loopback check
Follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer

We learnt a very important lesson after facing this problem. It is important to have same kind of environmental setup in all stages. If only we had same environment in all the stages we could have spotted the problem earlier during development stage itself. And all these headaches during deployment could have avoided.

Hope this helps.