I have a Windows 2003 Web Edition SP1 server that is running the 2002 FPSE.
Everything functions normally, including access to the permissions and
administration home while I'm on the same network as the web server
(although this still traverses the same firewall customers do).  Customers
who have pages located on this server are unable to access these
administration pages.  They get prompted for a username and password and
then receive a page could not be displayed error.  Everything else appears
to be functioning normally.

Since this works on the local network I checked firewall logs but did not
see anything that was being dropped when customers try to access this
remotely.  I am able to repeatdly recreate this problem.  Any input would be
appreciated.

Ryan

[ Post a follow-up to this message ]

Ryan,

Try the following that has been suggested in past postings (look at the
loopback settings idea listed below):

---
Possible FIX from KB 896861: This issue occurs if you install Microsoft
Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pac
k
1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check
security feature that is designed to help prevent reflection attacks on your
computer. Therefore, authentication fails if the FQDN that you use does not
match the local computer name.

There is a known "issue" with authentication when using 2003 server with
IIS6 and 2002 extensions that shipped with 2003 server after the application
of 2003 server SP1. The issue occurs from additional security lock downs tha
t
sp1 applied. People have been affected by this either by installing SP1 afte
r
FP extensions were installed as well as fresh installations of 2003 server,
IIS6, 2002 extensions and with SP1.

People are doing the following:

Turn on basic authentication and use SSL for logins in IIS or

Method 1: Disable the loopback check
Follow these steps: 1. Click Start, click Run, type regedit, and then click
OK.
2. In Registry Editor, locate and then click the following registry key:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.




------

Here is more information on this item



Here is a news group to check out.


http://support.microsoft.com/newsgr...wsnt&sloc=en-us





Here is another link to a search in that listserve to read:

http://support.microsoft.com/newsgr...r />
40b0-a226
-8b9cf33299a5&dglist=&ptlist=&exp=&sloc=en-us

In the results go and read the result named, "An error occurred accessing
your Windows SharePoint Services site files"



You will see the following posting froma user named Michael Middleton
referencing knowledge base article 896861 in regards to Integrated
Authentication:

I may have posted my fix in the wrong thread.

You don't need to uninstall SP1.

You do need to stop checking the loopback connector so that Kerberos
doesn't break for virtual domains.

http://support.microsoft.com/defaul...kb;en-us;896861

At least that, and a good sanity check of permissions fixed it for me.
See my previous post under "Win 2003 SP1 FrontPage Problem".

It has been several days now, two servers were having this issue..
hundreds of domains... and zero complaints after we made this change.

Mike Middleton
http://www.m13.net


> Brian,
> I strongly recommend following Thomas Rowe's suggestion [uninstall win
 2k3
> sp1].
> If you encounter additional errors, please post back here.
> Uninstalling Win 2003 sp1 resolved the main problems - especially the post
ed
> specific error message.
> We encountered some residual issues, mostly due to the application of
> recommended fixes appropriate to the error message.
> Those are now cleaned up as well, thanks again to the Thomas and the other
> MVPs on this forum.
>

Here is the Knowledge base article:

You receive error 401.1 when you browse a Web site that uses Integrated
Authentication and is hosted on IIS 5.1 or IIS 6
View products that this article applies to.
Article ID : 896861
Last Review : May 20, 2005
Revision : 1.2

Notice
Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge Base
:
256986 (http://support.microsoft.com/kb/256986/) Description of the
Microsoft Windows Registry
On This Page
SYMPTOMS
CAUSE
WORKAROUND
Method 1: Disable the loopback check
Method 2: Specify host names
STATUS
APPLIES TO

SYMPTOMS
When you use the fully qualified domain name (FQDN) to browse a local Web
site that is hosted on a computer that is running Microsoft Internet
Information Services (IIS) 5.1 or IIS 6, you may receive an error message
that is similar to the following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a
name that is mapped to the local loopback address.

You may also receive an error message that is similar to the following when
you try to debug a Microsoft ASP.NET project in Microsoft Visual Studio 2003
:
Error while trying to run project: Unable to start debugging on the web
server. You do not have permissions to debug the server.

Verify that you are a member of the 'Debugger Users' group on the server.
Note The word "Web" is incorrectly capitalized in this error message.
Back to the top

CAUSE
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2)
or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and
Windows Server 2003 SP1 include a loopback check security feature that is
designed to help prevent reflection attacks on your computer. Therefore,
authentication fails if the FQDN that you use does not match the local
computer name.
Back to the top

WORKAROUND
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.

To work around this issue, use one of the following methods:
Back to the top

Method 1: Disable the loopback check
Follow these steps: 1. Click Start, click Run, type regedit, and then click
OK.
2. In Registry Editor, locate and then click the following registry key:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

Back to the top

Method 2: Specify host names
To specify the host names that are mapped to the loopback address and can
connect to Web sites on your computer, follow these steps: 1. Click Start,
click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites
that are on the local computer, and then click OK.
7. Quit Registry Editor, and then restart your computer.

Back to the top

STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that
are listed in the "Applies to" section.
Back to the top


----------------------------------------------------------------------------
----

APPLIES TO
• Microsoft Internet Information Services 6.0, when used with:
Microsoft Windows Server 2003 Service Pack 1

• Microsoft Internet Information Services 5.1, when used with:
Microsoft Windows XP Service Pack 2

• Microsoft Visual Studio .NET 2003 Enterprise Architect
• Microsoft Visual Studio .NET 2003 Enterprise Developer

-----

"Ryan Kubiak" wrote:

> I have a Windows 2003 Web Edition SP1 server that is running the 2002 FPSE
.
> Everything functions normally, including access to the permissions and
> administration home while I'm on the same network as the web server
> (although this still traverses the same firewall customers do).  Customers
> who have pages located on this server are unable to access these
> administration pages.  They get prompted for a username and password and
> then receive a page could not be displayed error.  Everything else appears
> to be functioning normally.
>
> Since this works on the local network I checked firewall logs but did not
> see anything that was being dropped when customers try to access this
> remotely.  I am able to repeatdly recreate this problem.  Any input would 
be
> appreciated.
>
> Ryan
>
>
>

[ Post a follow-up to this message ]

I already found the KB article on disabling the loopback check and had made
that change, however it did not fix my problem.

Switching to basic authentication does work.  These administration pages run
under the hostname of the site which you are accessing, so assuming you're
not using self signed certificates, wouldn't you need a certificate for each
of the domains to secure the logins?  If that's true this really wouldn't
work in my situation.


"R" <R@discussions.microsoft.com> wrote in message
news:0A39BFD1-C978-412C-A763-B1F9E1BCD174@microsoft.com...
> Ryan,
>
> Try the following that has been suggested in past postings (look at the
> loopback settings idea listed below):
>
> ---
> Possible FIX from KB 896861: This issue occurs if you install Microsoft
> Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service
> Pack
> 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback
> check
> security feature that is designed to help prevent reflection attacks on
> your
> computer. Therefore, authentication fails if the FQDN that you use does
> not
> match the local computer name.
>
> There is a known "issue" with authentication when using 2003 server with
> IIS6 and 2002 extensions that shipped with 2003 server after the
> application
> of 2003 server SP1. The issue occurs from additional security lock downs
> that
> sp1 applied. People have been affected by this either by installing SP1
> after
> FP extensions were installed as well as fresh installations of 2003
> server,
> IIS6, 2002 extensions and with SP1.
>
> People are doing the following:
>
> Turn on basic authentication and use SSL for logins in IIS or
>
> Method 1: Disable the loopback check
> Follow these steps: 1. Click Start, click Run, type regedit, and then
> click
> OK.
> 2. In Registry Editor, locate and then click the following registry key:
>  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa
> 3. Right-click Lsa, point to New, and then click DWORD Value.
> 4. Type DisableLoopbackCheck, and then press ENTER.
> 5. Right-click DisableLoopbackCheck, and then click Modify.
> 6. In the Value data box, type 1, and then click OK.
> 7. Quit Registry Editor, and then restart your computer.
>
>
>
>
> ------
>
> Here is more information on this item
>
>
>
> Here is a news group to check out.
>
>
> http://support.microsoft.com/newsgr...wsnt&sloc=en-us
>
>
>
>
>
> Here is another link to a search in that listserve to read:
>
> http://support.microsoft.com/newsgr...aa-0d60-40b0-a2
26-8b9cf33299a5&dglist=&ptlist=&exp=&sloc=en-us[vbcol=seagreen]
>
> In the results go and read the result named, "An error occurred accessing
> your Windows SharePoint Services site files"
>
>
>
> You will see the following posting froma user named Michael Middleton
> referencing knowledge base article 896861 in regards to Integrated
> Authentication:
>
> I may have posted my fix in the wrong thread.
>
> You don't need to uninstall SP1.
>
> You do need to stop checking the loopback connector so that Kerberos
> doesn't break for virtual domains.
>
> http://support.microsoft.com/defaul...kb;en-us;896861
>
> At least that, and a good sanity check of permissions fixed it for me.
> See my previous post under "Win 2003 SP1 FrontPage Problem".
>
> It has been several days now, two servers were having this issue..
> hundreds of domains... and zero complaints after we made this change.
>
> Mike Middleton
> http://www.m13.net
>
> 
>
> Here is the Knowledge base article:
>
> You receive error 401.1 when you browse a Web site that uses Integrated
> Authentication and is hosted on IIS 5.1 or IIS 6
> View products that this article applies to.
> Article ID : 896861
> Last Review : May 20, 2005
> Revision : 1.2
>
> Notice
> Important This article contains information about modifying the registry.
> Before you modify the registry, make sure to back it up and make sure that
> you understand how to restore the registry if a problem occurs. For
> information about how to back up, restore, and edit the registry, click
> the
> following article number to view the article in the Microsoft Knowledge
> Base:
> 256986 (http://support.microsoft.com/kb/256986/) Description of the
> Microsoft Windows Registry
> On This Page
> SYMPTOMS
> CAUSE
> WORKAROUND
>   Method 1: Disable the loopback check
>   Method 2: Specify host names
> STATUS
> APPLIES TO
>
> SYMPTOMS
> When you use the fully qualified domain name (FQDN) to browse a local Web
> site that is hosted on a computer that is running Microsoft Internet
> Information Services (IIS) 5.1 or IIS 6, you may receive an error message
> that is similar to the following:
> HTTP 401.1 - Unauthorized: Logon Failed
> This issue occurs when the Web site uses Integrated Authentication and has
> a
> name that is mapped to the local loopback address.
>
> You may also receive an error message that is similar to the following
> when
> you try to debug a Microsoft ASP.NET project in Microsoft Visual Studio
> 2003:
> Error while trying to run project: Unable to start debugging on the web
> server. You do not have permissions to debug the server.
>
> Verify that you are a member of the 'Debugger Users' group on the server.
> Note The word "Web" is incorrectly capitalized in this error message.
> Back to the top
>
> CAUSE
> This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2)
> or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and
> Windows Server 2003 SP1 include a loopback check security feature that is
> designed to help prevent reflection attacks on your computer. Therefore,
> authentication fails if the FQDN that you use does not match the local
> computer name.
> Back to the top
>
> WORKAROUND
> Warning If you use Registry Editor incorrectly, you may cause serious
> problems that may require you to reinstall your operating system.
> Microsoft
> cannot guarantee that you can solve problems that result from using
> Registry
> Editor incorrectly. Use Registry Editor at your own risk.
>
> To work around this issue, use one of the following methods:
> Back to the top
>
> Method 1: Disable the loopback check
> Follow these steps: 1. Click Start, click Run, type regedit, and then
> click
> OK.
> 2. In Registry Editor, locate and then click the following registry key:
>  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa
> 3. Right-click Lsa, point to New, and then click DWORD Value.
> 4. Type DisableLoopbackCheck, and then press ENTER.
> 5. Right-click DisableLoopbackCheck, and then click Modify.
> 6. In the Value data box, type 1, and then click OK.
> 7. Quit Registry Editor, and then restart your computer.
>
> Back to the top
>
> Method 2: Specify host names
> To specify the host names that are mapped to the loopback address and can
> connect to Web sites on your computer, follow these steps: 1. Click Start,
> click Run, type regedit, and then click OK.
> 2. In Registry Editor, locate and then click the following registry key:
>  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Lsa\MSV1_0
> 3. Right-click MSV1_0, point to New, and then click Multi-String Value.
> 4. Type BackConnectionHostNames, and then press ENTER.
> 5. Right-click BackConnectionHostNames, and then click Modify.
> 6. In the Value data box, type the host name or the host names for the
> sites
> that are on the local computer, and then click OK.
> 7. Quit Registry Editor, and then restart your computer.
>
> Back to the top
>
> STATUS
> Microsoft has confirmed that this is a bug in the Microsoft products that
> are listed in the "Applies to" section.
> Back to the top
>
>
> --------------------------------------------------------------------------
------
>
> APPLIES TO
> . Microsoft Internet Information Services 6.0, when used with:
>    Microsoft Windows Server 2003 Service Pack 1
>
> . Microsoft Internet Information Services 5.1, when used with:
>    Microsoft Windows XP Service Pack 2
>
> . Microsoft Visual Studio .NET 2003 Enterprise Architect
> . Microsoft Visual Studio .NET 2003 Enterprise Developer
>
> -----
>
> "Ryan Kubiak" wrote:
> 

[ Post a follow-up to this message ]