LinkedIn

Friday, 23 January 2009

Sharepoint web service and HTTP 401.1 - Unauthorized: Logon Failed



Hello all,


Well, I just spent 3 weeks on this issue and it has been the most frustrating time.
I built a SharePoint workflow that was tested on our development server. I then started to deploy it to our TEST server.

The deployment process was easy and I expected it to be up and running in a couple of hours.

Note: The TEST SharePoint server had Kerberos on it.

So when I started a workflow running I realised that all the endpoints that were talking to the builtin SharePoint web services failed with various security errors. Ititally I realised that all my endpoint and binding settings needed to be converted for the Kerberos environment so I began setting up everything for Kerberos.

Ie.. using setspn to create SPNs etc..

Did all this and using System.Diagnostics and the trace I could see I was getting somewhere but getting what I thought were Kerberos errors.

Remember that I was using WCF that was wrapped around (old fashioned) SharePoint web services.

Anyway, spent too long on this so it was decided that I should forget WCF and use old fashioned web services as I really had no need for all the functionality and security of WCF as the data being passed was internal and then not that important.

So I changed everything to old fashioned web services assuming that this would "just work".

Then I deployed and started getting 401.1 errors. (HTTP 401.1 - Unauthorized: Logon Failed)

I could not get around these errors. I checked everything from Sharepoint list access, app pool accounts in IIS... etc....

Then I tried talking from my DEV server's old fashion webservices to my TEST server's Sharepoint web service and it worked. WEIRD.

So at this point I could talk from a remote client to the TEST server but not from the TEST server to the TEST server. Grrrr.

Another few days went past and my boss stumbled apon this link:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;896861

Notes from the link:
Symptoms:
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.


Cause:
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Resolution:

Method 1: Disable the loopback chec

Follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click Lsa, point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart your computer.

Method 2: Specify host names

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. Type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  7. Quit Registry Editor, and then restart the IISAdmin service.
I chose method 1 and then rebooted and everything just started to work.
BUT, what a nightmare 3 weeks I had.

To summarize. I registry hack needed to be done to make server1 to server1 calls.
Whilst this was there to stop attacks on the server, I am still very annoyed that it took so long to find the solution and we only found it by accident.

Just wondering if anyone else has had the similar issue?

I am assuming that now, if I could be bother, I could go back to using Kerberos and things would probably work.

Grrrrrrrrrr!

thanks
RuSs