Wednesday, June 4, 2008

IIS 6 Host Headers on Win2k3 Yields 401.1

Haven't I met you before?

Sometimes it seems like there's so much random information you're supposed to keep in your head that it's a wonder any of it sticks. Keeping this blog has been surprisingly helpful, but things still seem to find their way through the cracks. To patch the holes I sometimes blog about the problem to increase my odds of remembering it. This is one such blog.

I was migrating a relatively plain ASP.NET site the other day, and after all of the assemblies and data had been migrated the last task was to set up a host header (something along the lines of http://somesite.somedomain.com).

After setting up the host header and setting a local IP mapping in a hosts file I was surprised to repeatedly get a 401.1 (Unauthorized: Access is denied due to invalid credentials).

Now of course there are MANY different scenarios that can yield a 401's, in fact while hunting for the answer I stumbled across this helpful article (again) that while didn't help my particular issue, I normally use to troubleshoot most 401s and 404s. As it turns out I've actually ran into this same problem before...twice. Hopefully I remember it this time. Anyway here's how it went down.

Symptoms

  1. You set a host header on a web site and are unable to access the machine by that host header without getting a 401.1 Access is denied due to invalid credentials.
  2. Your credentials are good and the App Pool is not running in the identity of an expired or invalid account.
  3. You can access that same site through a port number correctly.
  4. You are running Windows 2003.
  5. The web site is accessible via host header from other (remote) machines, just not locally.
  6. Also if you're debugging in Visual Studio you may get the error "Unable to start debugging on the web server. You do not have permissions to debug the server."

Treatment

This is actually all semi well documented in a Microsoft KB which never seems to surface when I go looking for it. All of this behavior has to do with a security check in the loop back adapter to prevent reflection attacks. Unfortunately there's no real cure. Like the KB suggests you can either disable loop back checks if this is a development machine or not security check for certain host headers that resolve back to the host.

Remembering my life, one blog entry at a time.

Best,
Tyler

1 comment:

Anonymous said...

arrrrrggggghhhhh forgot about the loopback! Thanks so much. I was thinking it was sharepoint related.