Problem
If you try to log in to the SharePoint web application
(http://site.company.com) using host header on the server itself, your windows
credential doesn’t work but you can access the same site from outside. The
problem happens when you create a SharePoint web application with a host header
(site.company.com) on the SharePoint Server (Server Name: company.com) which is
installed on Windows Server 2008. This is a known issue with SharePoint 2007 or
SharePoint 2010 on the Windows Server 2008 platform and this problem is
happening even with the recent patches.
Solution
I had the same problem before when I put the host header in for my production
site and I was unable to login from production server itself. The main reason
for this issue is that Windows includes a loopback security check feature that
helps prevent reflection attacks on your computer. Therefore, authentication
fails if the FQDN or the custom host header that you use does not match the
local computer name, as the system blocks the authentication procedure while
resolving the host header given to the web application. Additionally, you always
get the following prompt even though you put correct username and password.
To proof the previous statement, you have to go to the event viewer. If you
check the event viewer logs on the “
Security” category, you will see
something like the one below under the
Audit Failure Keyword
Check event viewer log
- Click Start, click Run, type eventvwr, and then click
OK.
- Click on Security under Windows Log
Do the following steps to resolve this error by modifying the server’s
registry to specify the host name. To specify the host names that are mapped to
the loopback address and that can connect to Web sites on your computer, follow
these steps:
- Click Start, click Run, type regedit, and
then click OK.
- In the Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
- Right-click MSV1_0, point to New, and then click
Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click
Modify.
- In the Value data box, type the host name or the host names for the
sites that are on the local computer, and then click OK.
- Exit Registry Editor, and then restart the computer.
The name placeholder is considered a host header. It is an alternative name
for the computer on which Reporting Services is installed. You must add the
NetBIOS and the Fully Qualified Domain Name (FQDN) for name to the
BackConnectionHostNames list that is stored in the Windows registry.
For example, if the name is a Windows computer name, such as contoso, the
name can likely also be referenced in FQDN form as contoso.domain.com. You must
add both representations to the list in BackConnectionHostNames.
So, The above registry modification must be done for all other SharePoint
applications which are using Host Header.
Thanks,
JK
