Zupancic Perspective (v2.0)

Friday, September 28, 2007

Working Around HTTP Error 401.1 With Custom Host Headers

Boy, looking back at the past several months I really haven't done much in the way of keeping my blog up to date. Perhaps I just needed a reprieve or perhaps it was too much Lord of the Rings Online. It was probably a combination of the two. Anyway, I have an update that I want to provide as it's plagued me in the past and been a point of repeated and renewed frustration.

I frequently create custom websites in development and uniquely identify them via a custom host header (entered into IIS either during site creation or after the fact). Then I'd edit my hosts file to point that host header to my machine. NOTE: If you use DNS and create a CNAME to the machine none of these problems exist.

When I attempt to open the website via IE 7.0 I am greeted with an authentication dialog box. None of the credentials I enter will take, and after three tries I get a standard 401.1 (Unauthorized: Logon Failed) HTTP error page. My first line of defense is to add the host header to IE's list of local intranet sites, but that doesn't have any effect - it still prompts me to log in. None of my standard debugging techniques seem to yield any meaningful results.

As it turns out, Windows XP SP2 and Windows Server 2003 SP1 both include a loopback check security feature that is designed to help prevent reflection attacks on your computer. This update causes authentication to fail if the FQDN or custom host header does not match the local computer name.

An article on Microsoft Support identifies this issue and how to work around it. For my test cases, I tried the first method (”Disable the loopback check”) and that fixed it right off the bat. Also note, that even though the instructions tell you to, I didn't need to reboot. A simple IISRESET fixed the issue.

Essentially all I needed to do was edit the registry by creating the following DWORD value and assigning it a value of 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck = 1

I suppose that if I needed tighter control I might have opted for method 2 by specifying host names, but such wasn't the case.

I'm glad that got to the bottom of it.

.NET

Friday, September 28, 2007 9:02:00 AM (Mountain Standard Time, UTC-07:00)

Disclaimer | Comments [0] | Trackback

Thursday, September 13, 2007

Utah .NET User Group Meeting - Sept 13, 2007

Tonight I'll be out at the Utah .NET User Group giving a presentation on Design Patterns. I've had the opportunity to present on Design Patterns in years past and thoroughly enjoyed it and I'm really looking forward to tonight. Come on out and show your support for the community and group and enjoy the free pizza and drinks...oh, and I hope you like the presentation as well. The event starts at 6:00 PM. Then afterwards join us for dinner/drinks/dessert at the nearby Denny's off of I-15 and 106 S.

.NET | Utah .NET User Group

Thursday, September 13, 2007 2:32:00 AM (Mountain Standard Time, UTC-07:00)

Disclaimer | Comments [0] | Trackback