Debugging A Web Site With A Host Header
If you have downloaded the RTM version of SP1 for Visual Studio 2008, you may get an error when trying to debug a Web Site with a host header on IIS 6 or IIS 5.1. The error message reads: "Unable to start debugging on the web server. An authentication error occurred while communicating with the web server. Please see Help for assistance."
(Figure 1: Error Message when debugging a Web Site with a host header. In this case, the host header is www.test.com)
Scope
This issue only appears on Web Sites configured with a host header on machines with IIS 6 or IIS 5.1 and the RTM version of the .Net Framework 3.5 SP1.
Background
Lukasz Pawlowski, a program mangager on the Reporting Services team, published a great blog post describing the cause and explanation of the authentication error. Paraphrasing Lukasz:
"This error is caused by a security change made to the .Net Framework in SP1. The .Net Framework 3.5 SP1 now defaults to specifying the Host Name used in the request URL in an SPN in the NTLM authentication package. The NTLM authentication process includes a challenge issued by the destination computer and sent back to the client computer. When Windows receives a challenge it generated itself, authentication will fail unless the connection is a loop back connection. When a Web Site is configured with a host header, the host name is neither the machine name nor the loop back IP address nor the machine’s IP address, so Windows fails the authentication requests."
If you are interested, Lucasz describes the issue in much more detail and provides a link to information about the attacks this change protects against. Full Post
Work Around
There are two possible work-arounds. The recommended approach is to map your host header name to the loop back address in the registry. The steps are listed below. A less secure work around is to disable the loop back check, as described in http://support.microsoft.com/kb/896861.
Specify host names
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
7. Quit Registry Editor, and then restart the IISAdmin service and run IISReset.
Hope this helps you debug Web Sites configured to use host headers.
Joe Cartano | SDET | Visual Studio Web Developer
Light
Dark
0 comments