IE8 beta 2 authentication issues with host header configured sites
I just wanted to put this one out there to see if anyone else is having the same issue. On my laptop I have got multiple SharePoint sites set up that I am using the host file to point the requests in the right direction (for example I have ‘sharedservices’ set up for my SSP site). Now I went and installed IE8 beta 2 (knowing I am going to rebuild the laptop in the next couple of weeks anyway) to check it out, and have come across this strange issue with these sites.
When I browse to my http://sharedservices site I get prompted for credentials as you would expect, but it wont accept them. No matter what I enter it just wont let me through, and this is the same for any site I use a host header entry for. I can still browse to the default site I have set up on port 80 (so just http://servername – this one doesn’t use a host entry) and I can still browse to the shared service provider in FireFox and my other browsers.
It is probably also worth mentioning that the accounts I am using to authenticate with here are local accounts – I am not running Active Directory on my laptop, so all my service accounts for MOSS are local accounts (this is something I will be doing differently when I rebuild).
So I’m putting it out there to see if anyone else has had the same issue, and could perhaps shed some light on this? Also if you have a box that uses host entries and you wanted to use IE, probably best to give it a miss for the moment. Leave me a comment if you have any ideas though!
UPDATE AND FIX: Big thanks to Ishai Sagi for showing me this one. The details of the fix are at http://support.microsoft.com/default.aspx/kb/896861. Essentially the issue revolves around a loopback check that is being done to prevent reflection attacks against your system. the theory is that if a request comes from your machine to a DNS name that doesn’t match the machine name, the check will block the authentication. I’m not sure that it was IE8 that directly caused this, rather it was one of the windows updates that get installed along with IE8. Never the less there are two ways to solve this issue (taken from the article mentioned above):
Method 1: Disable the loopback check
Follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
Method 2: Specify host names
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart the IISAdmin service.
No worries (maybe you can link my name to my blog?)
Anyway, the first method is used to solve search issues when you are working on win2008 single computer server\workstation like I am. Search didnt work on any custom host header, giving "access denied" errors. disabling the loopback check solves it. Wish I knew that before teched australia – I then configured all my search accounts to be the administrator account to get search working.