Skip to main content

http error 401.1 unauthorized access is denied due to invalid credentials

I got this error while trying to browse my SharePoint site from within the server. I tried in both my front ends and application server and got the same error. I double checked to make sure the user I'm trying to login to the site had enough permission and also that password had not expired or account locked. Nothing seems to help.

Then I came across this excellent article by Spencer Harbar which talks about this issue. This error is caused by a feature in Windows Server 2003 SP1 and above called loopback security check. This feature prevents access to a site using its FQDN (Fully Qualified Domain Name) from the server that hosts the website. Here is Spencer's blog post:
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

There is also a Microsoft KB article that gives a solution to this problem. There are two solutions, disable loop check through a registry entry (not recommended for production servers) or add a list of addresses to exclude from the check.

Method 1: Disable the loopback check (less-recommended method)
The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.

To set the DisableLoopbackCheck registry key, follow these steps:

1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
281308 (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer.

Method 2: Specify host names (Preferred method if NTLM authentication is desired)
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
281308 (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
4. Right-click MSV1_0, point to New, and then click Multi-String Value.
5. Type BackConnectionHostNames, and then press ENTER.
6. Right-click BackConnectionHostNames, and then click Modify.
7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
8. Quit Registry Editor, and then restart the IISAdmin service.
Labels:

Comments

Post a Comment

Popular posts from this blog

"Cannot impersonate user for data source" - SSRS reports

We were getting this strange error while viewing our reports in SharePoint that was deployed using BIDS 2005: An error has occurred during report processing. Cannot impersonate user for data source 'datasource' Logon failed I tried many things but nothing worked. I did some research and found many blog posts which suggested me to reapply the password on the datasource file specified in the error message and save it again. That didn't work for me. I saw some check boxes in the data source file that read "Use as Windows Credentials" and "Set Execution Context to this report" and I didn't know what they meant. I unchecked those in my data source and then when the refreshed the page the report started displaying.
2 comments
Read more

Users do not show up in SharePoint People Search or People Picker

I had this issue with people picker in a classic mode web application in SharePoint 2013 and this site is in 2010 mode - users in certain sub-domains would not show up in People Picker. I was aware of stsadm commands to fix this and we ran the stsadm command to hook up people picker with another domain some time back. The latest issue was that people picker was not returning users from the root domain and few sub domains. After researching on the internet I found (contrary to my thoughts) that we could use PowerShell and not just stsadm to map People Picker to domains. It is a good idea to first check what domains are added/mapped to the web application using the following commands: $wa = Get-SPWebApplication -Identity http://mywebapp.com #List the Domains $wa.PeoplePickerSettings.SearchActiveDirectoryDomains This will list the domains currently People Picker is looking up for that web application. I used the following script to map our AD forest to People Picker:
Post a Comment
Read more

Report Server has encountered a SharePoint error. ( rsSharePointError)

I was receiving this error on the "Report Server Web Service URL" on our SharePoint farm: Report Server has encountered a SharePoint error. ( rsSharePointError) Access to this Web Site has been blocked. Please contact the administrator to resolve this problem. This site URL is configured via Central Administration > Configure Reporting Services Integration > Reporting Services Integration if Reporting Server feature/Add-in is installed on the farm. After doing some research I found out that this page somehow enumerates through entire site collections before it throws this error. As part of troubleshooting step I checked if the domain user configured for reporting service is has sufficient privileges in the farm and also as local admin of the sql box, but this did not solve the issue. We raised this issue with the vendor and they made us update our SQL Server 2005 to latest SP and CU; still we had the error. The reason was nobody was sure if this er
3 comments
Read more