Thursday, April 16, 2009

IE 8 NTLM Authentication on Windows 2008

If you are using host headers to resolve the websites, then you might have seen the following issue with NTLM authenticated sites on IE 8. When you access the websites on a machine other than the one where it is hosted, you will be able to get to the sites.
Once you RDP onto the server and try to connect to the website, it will prompt for your windows credentials and will get an access denied message. This problem occurs because Windows includes a loopback check security feature that helps prevent reflection attacks on your computer(Probably some kind of security change has been made in IE8 related to this feature). Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Resolution: Disable the loopback check
  • Click Start, click Run, type regedit, and then click OK.
  • In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Right-click Lsa, point to New, and then click DWORD Value.
  • Type DisableLoopbackCheck, and then press ENTER.
  • Right-click DisableLoopbackCheck, and then click Modify.
  • In the Value data box, type 1, and then click OK.
  • Quit Registry Editor, and then restart your computer.

3 comments:

Oliver Degnan said...

Doesn't seem to have any effect on my machine. Any other suggestions?

Sahithi said...

Hi iam facing same issue but your resolution did not work for me...... any other suggestion?

Prashanth Palakollu said...

You can also try the alternative fix mentioned below:
http://support.microsoft.com/kb/896861

Also, make sure the site is added to trusted sites list in your browser on the server(assuming IE).

Post a Comment