When I do development work for clients who don’t have their own development server, I set up a IIS virtual host on my server so that I can post iterations for them to review. Every client gets its own domain name like http://clientName.benday.com. It’s a pretty cool feature of IIS that allows you to host lots of different web sites on a single server with a single IP address.
I’ve been doing some maintenance work for a client lately and on Friday I needed to post the demo. I deployed the app and tried checking it using Internet Explorer from the server. It prompted me to log on. That’s weird, I’m logged on locally and this app is configured to use Windows (NTLM) authentication. I typed in my username and password anyway and got “HTTP 401.1 – Unauthorized: Logon Failed“. That’s impossible. I checked the file system permissions and re-checked the IIS permissions and it all looked good.
There’s an odd issue with domain names that have periods (“.“ or dots) in them: Internet Explorer won’t send the Windows authentication info to the server if the domain name has periods in it. I think this is totally stupid but I can see how this could be a halfway decent method for determining that you’re accessing an intranet resource rather than an internet resource. In order to fix this, you need to add the url to IE’s “Local intranet“ or “Trusted sites“ group (Tools –> Options –> Security).
Anyway, so I started wondering if IE had gotten misconfigured and had stopped sending credentials to the server. This theory looked likely because the IIS logs didn’t record my username for those 401.1 errors — it just said “-“ in that spot in the log. I played with the IE configuration for a while. No luck.
Throughout all of this, I was googling like crazy trying to think of how to describe this question in a way that google could actually help out. Nothing. You know…that’s one of the hardest things when you’re trying to solve an IT problem — if you don’t exactly know what’s wrong, it’s really tough to ask the question in order to find the solution.
Well, eventually I hit upon a Microsoft support article. Turns out that Windows 2003’s Service Pack 1 closes a security hole related to reflection attacks. It sounds like when you make a request to IIS, something on the server checks to see if the host name is the name of the machine. Since the name of my server isn’t the same as the host header name for my client’s IIS site, IIS pukes out a 401. The fix for this is to edit the registry to tell the server what other names it should accept.