You experience authentication issues when you try to access a Windows Server 2003 SP1 server locally using a UNC
(Universal Naming Convention) path in the \\ServerName\ShareName format. You experience one of the following:
- Repeated logon windows.
- Access Denied.
- No network provider accepted the given network path.
- The Security event log contains Event ID 537.
You can access the computer locally using its' FQDN or CNAME alias, and you can access it remotely use \\ServerName or \\IPaddress.
This behavior is the result of the new loopback check security feature, which is enabled by default on Windows Server 2003 SP1.
To workaround this behavior, you can disable the authentication loopback check, or you can create local LSA
(Local Security Authority) host names that are referenced in a NTLM authentication request.
To disable the authentication loopback check:
1. Open a
CMD.EXE window.
2. Type the following command and press
Enter:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V DisableLoopbackCheck /T REG_DWORD /F /D 1
3.
Shutdown and restart Windows Server 2003.
To create local LSA host names that are referenced in a NTLM authentication request.
1. Open a
CMD.EXE window.
2. Type the following command and press
Enter:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /V BackConnectionHostNames /T REG_MULTI_SZ /F /D "Multi_String CNAME or DNS alias"
Where
each entry is separated by a
\0 and the last entry is terminated with
\0\0, like
CNAME1\0CNAME2\0CNAME3\0\0 or
CNAME\0\0.
3. Shutdown and restart Windows Server 2003.