INFO: SharePoint 2007 VM’s NLTM Authentication Failure

  • Article

I usually build a Virtual Machine that consists of the following for SharePoint development:

  • Windows Server 2008
  • SQL Server 2008 SP1
  • Visual Studio 2008 SP1 with Team Explorer (and VSeWSS 1.3)
  • Office 2007 SP2
  • Domain Controller and DNS Services

I use host headers to allow the web applications I create on the VM to run on port 80.  However, recently, the ability for me to visit a web application suddenly stopped inexplicably.  What happened was that any web application seemed to prompt me for NTLM credentials three consecutive times, but then deny me each time with a blank page.  SharePoint’s access denied page was not even rendered.  Furthermore, any HTML files (images, txt, html) could not be served from the virtual directory of the web application.  I found that I could visit https://localhost:portnumber sites, but no sites that used host headers. 

It turns out that a recent security patch delivered through Windows Update caused the issue.  There is a security update that causes any “excessive” traffic on the loopback adapter to be shut down.  This means that unless you either turn off the loopback adapter security check, or place all DNS names you want to use for web application host headers under a specific registry key, host headers won’t work and you will be denied access.  See the KB here:

https://support.microsoft.com/kb/896861

And the recommended steps below:

Method 1: Specify host names

Note We recommend that you use this method.
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  3. Right-click MSV1_0, point to New, and then click Multi-String Value.

  4. Type BackConnectionHostNames, and then press ENTER.

  5. Right-click BackConnectionHostNames, and then click Modify.

  6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

  7. Quit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check

Follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. Right-click Lsa, point to New, and then click DWORD Value.

  4. Type DisableLoopbackCheck, and then press ENTER.

  5. Right-click DisableLoopbackCheck, and then click Modify.

  6. In the Value data box, type 1, and then click OK.

  7. Quit Registry Editor, and then restart your computer.