You upgrade a Microsoft Windows Server 2003-based computer
that is running Microsoft Internet Information Services (IIS) 6.0 or Microsoft
SQL Server 2000 to Windows Server 2003 Service Pack 1 (SP1). After you do this,
users experience authentication issues when they use Web applications or when
they use a program that queries the database. For example, a user may
experience symptoms that are similar to one of the following:
- The user receives an "Access denied" error message when the
user tries to access a Web page that retrieves data from a back-end
- The user cannot connect to another database server that is
located in a Network Load Balancing (NLB) cluster. Queries to the database
The symptoms that users experience may vary depending on your
This issue occurs if the service principal name (SPN) of the
service is not authenticated. The SPN is not authenticated if the SPN is not
registered to a service account. Windows Server 2003 SP1 includes loopback
check functionality that is stored in the following registry entry:
By default, loopback check functionality is turned on in Windows
Server 2003 SP1, and the DisableLoopbackCheck registry entry is set to 0
(zero). The loopback check functionality prevents the program from registering
This section, method, or task contains steps that tell you how to
modify the registry. However, serious problems might occur if you modify the
registry incorrectly. Therefore, make sure that you follow these steps
carefully. For added protection, back up the registry before you modify it.
Then, you can restore the registry if a problem occurs. For more information
about how to back up and restore the registry, click the following article
number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
By default, loopback check functionality is
turned on in Windows Server 2003 SP1, and the DisableLoopbackCheck registry
entry is set to 0 (zero). The security is reduced when you disable the
authentication loopback check, and you open the Windows Server 2003 server for
man-in-the-middle (MITM) attacks on NTLM. To avoid MITM attacks, the value of
registry entry should be returned to zero (0) after the SPN changes are made.
Also, method 1 is the preferred solution.
Method 1: Create the Local Security Authority host names that can be referenced in an NTLM authentication request (preferred)
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following
- Right-click MSV1_0, point to
New, and then click Multi-String Value.
- Type BackConnectionHostNames, and
then press ENTER.
- Right-click BackConnectionHostNames, and
then click Modify.
- In the Value data box, type the host name
or the host names for the sites that are on the local computer, and then click
- Exit Registry Editor, and then restart the server
for this change to take effect.
Method 2: Disable the authentication loopback check and register the SPN
with the account that the service runs under
To resolve this issue, disable the authentication loopback check, and then register the SPN
with the account that the service runs under. To do this, set the
DisableLoopbackCheck entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
registry subkey to 1, and then determine the name of the SPN.
1: To set the DisableLoopbackCheck registry entry to
- Click Start, click Run,
type regedit, and then click
- Locate and then click the following registry subkey:
- Right-click DisableLoopbackCheck, and then
- Type 1 in the Value
data box, and then click OK.
2: To determine the name of the SPN
- Add the following registry entries, and then set each
registry entry to the appropriate value as follows:
To add a registry entry, follow these steps:
- Locate and then click the registry subkey where you
want to add the registry entry.
- On the Edit menu, point to
New, and then click DWORD Value.
- Type the name of the registry entry that you want to
add, and then press ENTER.
- Right-click the registry entry that you added in step
2c, and then click Modify.
- Type the appropriate value for that registry entry, and
then click OK.
- Repeat step 2a through 2e for each registry entry that
you want to add.
- Quit Registry Editor.
- Restart the computer, and then reproduce the issue. After
you do this, an event ID error message that is similar to the following is
logged in the System log:
Determine the SPN from the event ID error message. In this example,
the SPN is MSSQLSvc/DomainName.com:1433.
Event ID: 3
Description: A Kerberos Error
Message was received:
on logon session
Server Realm: DomainName.com
Server Name: MSSQLSvc/DomainName.com:1433
Error Data is in record data.
Step 3: Use the Setspn.exe command-line tool to register the SPN
to the appropriate service account
In IIS 6.0, the service account is typically the account that
the WWW service runs under or the account that the application pool uses. In
Microsoft SQL Server 2000, the service account is the account that SQL Server
2000 runs under. Use the following syntax to add a new SPN:
setspn -a SPN DomainName\AccountName
The following is an example of how to use the
Setspn.exe command-line tool to add an SPN:
setspn -a MSSQLSvc/NLBNAME.corp.domain.com:1433 DomainName\AccountName
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Setspn.exe support tool update for Windows Server 2003
information, click the following article number to view the article in the
Microsoft Knowledge Base:
Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
After you install security update 957097,
applications such as SQL Server or Internet Information Services (IIS) may fail
when making local NTLM authentication requests.
For more information about how to resolve this issue, click the following
article number to view the article in the Microsoft Knowledge Base:
MS08-068: Vulnerability in SMB could allow remote code execution
See the "Known issues with this security update"
section of KB article 957097 for details about how to resolve the issue.