Monday, March 17, 2014

Good ole loopback check - how I hate thee

It seems every year or so, I've run into the same issue over and over again. And every time I forget the resolution due to the vague security error message.

We receive an "HTTP 401.1 - Unauthorized: Logon Failed" error when using a local web service from another web site or web service on the same machine, using windows integrated authentication.

After a few hours of debugging and research, we discover the root cause is the loopback check security feature described in these kb articles:

http://support.microsoft.com/kb/926642
(Note: even though this article says this issue applies to Win 2003 SP1, it also applies to any Windows Server OS since then, including 2008-2012.)

The solution is to modify the registry and add a DisableLoopbackCheck entry or to add host names in BackConnectionHostNames registry entry.

I have run into this same issue with custom web services as well as when using a local SharePoint install, Reporting Services web services and even one scenario where a .NET web application was using local Java web services.

No comments: