Friday, 27 July 2018

Windows Server - Loopback Check

IIS LoopbackCheck

What is it, and what trouble does it cause?


I'm going to post this as an interlude to my Continuous Delivery series, as I have been wrestling with an IIS issue this week, and wanted to share the solution in case anyone else suffers the same frustrations!


After struggling for 2 days with sporadic 401s in our IIS logs, quadruple checking authentication settings, permissions and config it was a great relief to pin down the underlying issue: loopback check.

What is loopback check?

Introduced in Windows server 2003, and found in all subsequent versions (at the time of writing), the purpose of the loopback check is to protect a server against threats exploiting connections to the loop back adapter specifically, and this extra protection level applies to all incoming connections and protocols.
So, if you issue a call on the same node using the FQDN to browse a local web site hosted in IIS, you will get a 401 back. Not really the first thought that'd enter your head when seeing a 401...

How can I fix it?

There are two fixes, both of which require registry entries - the first is to add the relevant host name to a BackConnectionHostNames registry key here:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

 The second, less appealing fix is to add a DisableLoopcheck key with a value of 1 to here:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
 ...but this will disable the check entirely for the node. Feels a bit to heavyweight, especially if you need to do this on a production server.

Here is a good article on Stack Overflow for more:
https://stackoverflow.com/questions/17466665/windows-authentication-not-working-on-local-iis-7-5-error-401-1 ‹ collapse

Can I automate this?

Yes! And to bring us back into the realms of continuous delivery, we can add your preferred fix from the above choices into a Powershell DSC configuration as described here.
For example, this will add your relevant host name to the "BackConnectionHostNames" registry key on your destination node:

Registry RegistryExample
    {
        Ensure      =
"Present"
        Key         =
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
        ValueName   =
"BackConnectionHostNames"
        ValueData   =
"YourHostName" 
    }


When DSC runs, it will ensure this above registry value is present, and add it if not :)

May your irrational 401s be gone!


No comments:

Post a Comment