IIS Authentication failed on locally hosted website with custom/alternate FQDN


iis

So, the company I work for use nintex workflow to extend Sharepoint workflow capabilities. This includes nintex consuming webservice hosted on sharepoint’s IIS. The problem starts when one of the webservices are hosted on the sharepoint server’s IIS, but uses alternate Fully Qualified Domain Name (FQDN)

On IIS log you’ll see:

2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 0 0 11781
2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074254 15
2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074252 15

The sc-win32-status “2148074252” refers to the failed login attempt, while “2148074254” means that there are no credentials available in the security package. Furthermore, on Security Event Viewer, I got this:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/24/2015 4:05:25 PM
Event ID:      4656
Task Category: File System
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      kestrel.falcon.local
Description:
A handle to an object was requested.

Subject:
    Security ID:        FALCON\surfer
    Account Name:        surfer
    Account Domain:        FALCON
    Logon ID:        0x90F0284B

Object:
    Object Server:        Security
    Object Type:        File
    Object Name:        C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\ApplicationServer.Events.xml
    Handle ID:        0x0
    Resource Attributes:    -

Process Information:
    Process ID:        0x51d4
    Process Name:        C:\Windows\System32\mmc.exe

Access Request Information:
    Transaction ID:        {00000000-0000-0000-0000-000000000000}
    Accesses:        READ_CONTROL
                SYNCHRONIZE
                WriteData (or AddFile)
                AppendData (or AddSubdirectory or CreatePipeInstance)
                WriteEA
                ReadAttributes
                WriteAttributes
                
    Access Reasons:        READ_CONTROL:    Granted by    D:(A;;0x1200a9;;;BA)
                SYNCHRONIZE:    Granted by    D:(A;;0x1200a9;;;BA)
                WriteData (or AddFile):    Not granted
                AppendData (or AddSubdirectory or CreatePipeInstance):    Not granted
                WriteEA:    Not granted
                ReadAttributes:    Granted by ACE on parent folder    D:(A;;0x1301bf;;;BA)
                WriteAttributes:    Not granted
                
    Access Mask:        0x120196
    Privileges Used for Access Check:    -
    Restricted SID Count:    0

After a wee bit of research, I found a Microsoft KB entries explaining what was happening to the server. So basically, starting 5.1 IIS will block an attempt to browse a locally hosted website or webservice which uses different name than the hostname of the machine. You can still use an alternate FQDN, but you can’t access it from the server itself. The KB also explain that the hostname check can be skipped by adding an entry to the server ‘s registry. To do that:

  1. Open regedit, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Right-click on Lsa, select New, then DWORD Value
  3. Put “DisableLoopbackCheck” as the name and press ENTER
  4. Right-click on “DisableLoopbackCheck”, then select Modify
  5. Put 1 in Value data box, press OK
  6. Quit Regedit, and restart IIS or the server

After IIS/the server finished restarting, the webservice should be accessible locally 😀

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s