To deploy IMM, one of the prereq's is to .NET Framework 3.5 SP1... we had done this on two different dev servers with no ill effects. However, turns out in production, there is a slight side effect that was causing us some major problems. The main difference between the two environments is that production has 3 front ends and is therefore load balanced while dev is a stand alone server.
After applying the service pack, we did verify on all systems that the MOSS sites were loading properly. However, in a load balanced environment, we found that the web services were now returning a 401 unauthorized error message. To further verify the problem, I tested the following scenarios:
- Dev (standalone) - web services worked properly
- Prod with a load balanced url - web services failed
- Prod with a non-load balanced url - web services worked properly.
Apparently. 3.5 SP1 adds a loopback security check feature that is designed to help prevent reflection attacks... this makes authentication fail if the FQDN or host header does not match the local computer name.
Resolution:
MSKB 896861
This KB article defines the problem in a slightly different way (Windows XP SP 2 or Windows 2003 SP1) however the solution is the same... basically add a registry key to disable the loopback check and reboot. This fixed our problem and web services worked properly once again.
Below are the steps the article outlines...
Method 1: Disable the loopback check
Follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.