I don’t know if you have suffer this problem sometime: you have built a new web site or a web service virtual directory in your web server and enabled Integrated Windows Authenticated (IWA) for it. You have checked that all is configured correctly but when you try to access to the URL, the site asks for your User/Password three times and then report an Access Denied error (like if you don’t have access to the site). Very strange because with IWA enabled all domain IDs can access to the site. You review the configuration again and again and all seems right. In some cases URL is not accessible inside the server but you can open it from you laptop (very bad if you are working with web services, because you can just invoke its methods inside the server or from other application using a programmatic call), and in other cases you can access to the URL from neither of them.
In both cases the solution is the same:
- Open Registry Editor.
To do this in Windows XP or in Windows Server 2003, click Start, click Run, type regedit, and then click OK.
To do this in Windows Vista, Click Start, type regedit in the Start Search box, and then press ENTER. - Locate and then right-click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Point to New, and then click DWORD Value.
- Type LsaLookupCacheMaxSize, and then press ENTER.
- Right-click LsaLookupCacheMaxSize, and then click Modify.
- In the Value data box, type 0, and then click OK.
- Exit Registry Editor.
Following Microsoft explanations this error is produced because our web application calls the LsaLookupSids function to translate a security identifier (SID) to a user name (this is a normal function in Windows system) and the user name to translate has been changed on a domain controller. Usually, the local security authority (LSA) caches the mapping between the SID and the user name in a local cache on the domain member computer. The cached user name is not synchronized with domain controllers. The LSA on the domain member computer first queries the local SID cache. If an existing mapping is already in the local SID cache, the LSA returns the cached user name information instead of querying the domain controllers (this behavior is intended to improve performance) and you receive an Access Denied because the old user doesn’t exist on the domain now.
Two other methods to fix this problem:
ResponderEliminarMethod 1: Specify host names (Preferred method if NTLM authentication is desired)
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
7. Quit Registry Editor, and then restart the IISAdmin service.
Method 2: Disable the loopback check (less-recommended method)
The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.
To set the DisableLoopbackCheck registry key, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer