So, the company I work for use nintex workflow to extend Sharepoint workflow capabilities. This includes nintex consuming webservice hosted on sharepoint’s IIS. The problem starts when one of the webservices are hosted on the sharepoint server’s IIS, but uses alternate Fully Qualified Domain Name (FQDN)
On IIS log you’ll see:
2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 0 0 11781 2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074254 15 2015-02-24 06:52:14 172.16.1.188 GET /HRBenefit/ - 80 - 172.16.1.188 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074252 15
The sc-win32-status “2148074252” refers to the failed login attempt, while “2148074254” means that there are no credentials available in the security package. Furthermore, on Security Event Viewer, I got this:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/24/2015 4:05:25 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: kestrel.falcon.local
Description:
A handle to an object was requested.
Subject:
Security ID: FALCON\surfer
Account Name: surfer
Account Domain: FALCON
Logon ID: 0x90F0284B
Object:
Object Server: Security
Object Type: File
Object Name: C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\ApplicationServer.Events.xml
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x51d4
Process Name: C:\Windows\System32\mmc.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted
Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0
After a wee bit of research, I found a Microsoft KB entries explaining what was happening to the server. So basically, starting 5.1 IIS will block an attempt to browse a locally hosted website or webservice which uses different name than the hostname of the machine. You can still use an alternate FQDN, but you can’t access it from the server itself. The KB also explain that the hostname check can be skipped by adding an entry to the server ‘s registry. To do that:
- Open regedit, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click on Lsa, select New, then DWORD Value
- Put “DisableLoopbackCheck” as the name and press ENTER
- Right-click on “DisableLoopbackCheck”, then select Modify
- Put 1 in Value data box, press OK
- Quit Regedit, and restart IIS or the server
After IIS/the server finished restarting, the webservice should be accessible locally 😀