We are migrating part of our infrastructure to Windows Server 2008 R2, and while preparing a DEMO environment we got bitten by this problem. In R2 (and Windows 7) security is a little tigher and NTLM authentication will not work if the endpoint trying to access is using a loopback IP address (127.0.0.1). This holds true even if using an alias in the hosts file.

Some of the symthoms of this are getting soem error and audit events in the event log, for example: NTLM/Operational EventID 8001 and 8002 and LsaSrv EventID 6037.

The resolution of this issue (not recommended for production) would be to disable the new "LoopbackCheck" security feature for the LSA (Local Security Authority) service. To do that you need to alter the registry and add the key defined below.

For your convenience, you can copy & paste the text between the "==" and save it as a .reg file.

============================================================ 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001 

============================================================

Hope it helps someone.

Best regards,

Andres G Vettori, VMBC, CTO

2 Comments

• Jens Wiese said Thursday, November 19, 2009 10:40:47 AM

  Hi, we had exactly the same issue. We didn't expect that Loopback problem, which we knew from Windows 2003 already, will happen again. Well, we should not use the MOSS server for surfing, not even the local ssp site :-)

• Ton Stegeman said Tuesday, November 24, 2009 5:04:42 AM

  Yes it did help me! Thank you very much