Hans Rasmussen

I experienced something that made my whole day full of troubleshooting.

On a Windows 2008 Server Microsoft Dynamics CRM 4.0 was installed. CRM web application was using port 80 and had no host headers defined.

Great, I wanted another web application to be located on the same server and therefore we created a DNS entry to point to that specific machine (IP-address). I created the web application and specified the host header to DNS specified address. The web application was using Windows Integrated Authentication and the application had a domain service account specified in the application pool that was assigned to the web application.

Great so lets try it; http://mydnsentry/

Windows keeps asking for username and password and I was never let in. From another server I made a connection http://mydnsentry and now it suddenly worked. Strange? Working from OUTSIDE the server but not INSIDE the server itself.

We spent hours and hours thinking Kerberos was setup incomplete, tried about every trick ever known and finally stumpled upon this article from Microsoft

http://support.microsoft.com/kb/896861

So if you have a host header that does NOT match the local computer name you will get problems unless you disable “Loopback check”. This security feature has been added to prevent a reflection attack.

Quote from article; 

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

To set the DisableLoopbackCheck registry key yourself, follow these steps:

1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
   281308  (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer.