I’m back after the summer break (3 weeks spent trying to master the “Do It Yourself” art at home Smile) and my second day in office I got an interesting problem with remote debugging: after installing the Service Pack 2 for .NET 2.0, when trying to debug our web application (hosted on a remote IIS) we were getting the following error: “Unable to start debugging on the web server. An authentication error occurred while communicating with the web server”. Note, you can get the same error if you install the Service Pack 1 for .NET 3.5: the reason is simple, if you install the SP1 for .NET 3.5 you’ll automatically get the SP2 for .NET 2.0. Another point: you are using host headers in your site.

Anyway, the error is caused by a security change: in .NET 3.5 SP1 (and .NET 2.0 SP2) now defaults to specifying the host name used in the request URL in an SPN in the NTLM authentication package. The NTLM authentication process includes a challenge issued by the destination machine and sent back to the client machine. When Windows receives a challenge it generated itself, authentication will fail unless the connection is a loop back connection. When a Web Site is configured with a host header, the host name is neither the machine name nor the loop back IP address nor the machine's IP address, so the authentication request will fail.

There are two possible solutions:

  1. The recommended approach is to map your host header name to the loop back address in the registry. Here are the steps:
    • Click Start > Run, type regedit and click OK
    • In Registry Editor, select the registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0”
    • Right-click MSV1_0 > New > Multi-String Value
    • Type “BackConnectionHostNames” and press ENTER
    • Right-click “BackConnectionHostNames” > Modify
    • In the Value data box, type the host name or the host names for the sites that are on the local computer, then click OK
    • Quit the Registry Editor and reset IIS
  2. A less secure work around is to disable the loop back check, as described in http://support.microsoft.com/kb/896861

If you want more information on this matter you have have a look at http://blogs.msdn.com/lukaszp/archive/2008/07/18/reporting-services-http-401-unauthorized-host-headers-require-your-attention.aspx.

Carlo

Quote of the day:
If fifty million people say a foolish thing, it is still a foolish thing. - Anatole France