Problem
If you try to log in to the SharePoint web application (http://site.company.com) using host header on the server itself, your windows credential doesn’t work but you can access the same site from outside. The problem happens when you create a SharePoint web application with a host header (site.company.com) on the SharePoint Server (Server Name: company.com) which is installed on Windows Server 2008. This is a known issue with SharePoint 2007 or SharePoint 2010 on the Windows Server 2008 platform and this problem is happening even with the recent patches.Solution
I had the same problem before when I put the host header in for my production site and I was unable to login from production server itself. The main reason for this issue is that Windows includes a loopback security check feature that helps prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name, as the system blocks the authentication procedure while resolving the host header given to the web application. Additionally, you always get the following prompt even though you put correct username and password.
To proof the previous statement, you have to go to the event viewer. If you check the event viewer logs on the “Security” category, you will see something like the one below under the Audit Failure Keyword
Check event viewer log
- Click Start, click Run, type eventvwr, and then click OK.
- Click on Security under Windows Log
Do the following steps to resolve this error by modifying the server’s registry to specify the host name. To specify the host names that are mapped to the loopback address and that can connect to Web sites on your computer, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In the Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Exit Registry Editor, and then restart the computer.
The name placeholder is considered a host header. It is an alternative name for the computer on which Reporting Services is installed. You must add the NetBIOS and the Fully Qualified Domain Name (FQDN) for name to the BackConnectionHostNames list that is stored in the Windows registry.
For example, if the name is a Windows computer name, such as contoso, the name can likely also be referenced in FQDN form as contoso.domain.com. You must add both representations to the list in BackConnectionHostNames.
So, The above registry modification must be done for all other SharePoint applications which are using Host Header.
Thanks,
JK
