a·gen·tic a·gil·i·ty

Why Integrated Authentication does not work with host headers!

Explains why Integrated Authentication fails with custom host headers on IIS, causing 401.1 errors, due to Windows loopback security checks and how to resolve it.

Published on
2 minute read
Image
https://nkdagility.com/resources/WqcZtyTF5t3
Subscribe

You receive error 401.1 when you browse a TFS Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

This little problem occurs when you have Windows 2003 SP1 or later installed and you try to change your Team Foundation Server to a friendly name, like say tfs01.[intranet].[company].com.

What I found was that when you tried to view tfs01.[intranet].[company].com on the local server, it popped up an authentication dialog and would not allow you in. Eventually giving you a 401 error.

I consulted with one of Aggreko’s Infrastructure Team guys, Gary Hay (no blog! Gary…Get a blog) , who when I pointed out the problem said, in way more polite terms, “WTF”!

After a surprisingly short time, he sent me a link and told me it was fixed: http://support.microsoft.com/kb/896861

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

First, why would you want your server called the same as your website, and second, why would you NOT be hosting multiple sites under multiple host headers on the same server. I can only think of a couple of servers I have setup that have only one site, and it is NEVER called the same thing as the server…

After some testing I found that it was indeed fixed. Now, I had this exact same problem at Merrill Lynch and even with their hundreds, if not thousands of technical folk, no one could solve the problem. Just goes to show…just coz you are big and have masses of people, does not mean you have the right people…

Why Integrated Authentication does not work with host headers!  Thanks Gary…

Technorati Tags: ALM   TFS

Windows Troubleshooting
Subscribe

Related Blog

No related videos found.

Connect with Martin Hinshelwood

If you've made it this far, it's worth connecting with our principal consultant and coach, Martin Hinshelwood, for a 30-minute 'ask me anything' call.

Our Happy Clients​

We partner with businesses across diverse industries, including finance, insurance, healthcare, pharmaceuticals, technology, engineering, transportation, hospitality, entertainment, legal, government, and military sectors.​

Big Data for Humans Logo

Big Data for Humans

Higher Education Statistics Agency Logo

Higher Education Statistics Agency

Freadom Logo

Freadom

Trayport Logo

Trayport

Qualco Logo

Qualco

Illumina Logo

Illumina

SuperControl Logo

SuperControl

Alignment Healthcare Logo

Alignment Healthcare

Boeing Logo

Boeing

Epic Games Logo

Epic Games

Teleplan Logo

Teleplan

Hubtel Ghana Logo

Hubtel Ghana

Akaditi Logo

Akaditi

Slaughter and May Logo

Slaughter and May

Ericson Logo

Ericson

Genus Breeding Ltd Logo

Genus Breeding Ltd

Sage Logo

Sage

Bistech Logo

Bistech

Washington Department of Transport Logo

Washington Department of Transport

New Hampshire Supreme Court Logo

New Hampshire Supreme Court

Ghana Police Service Logo

Ghana Police Service

Royal Air Force Logo

Royal Air Force

Washington Department of Enterprise Services Logo

Washington Department of Enterprise Services

Nottingham County Council Logo

Nottingham County Council

New Signature Logo

New Signature

Boeing Logo

Boeing

Capita Secure Information Solutions Ltd Logo

Capita Secure Information Solutions Ltd

Milliman Logo

Milliman

Workday Logo

Workday

Cognizant Microsoft Business Group (MBG) Logo

Cognizant Microsoft Business Group (MBG)