So, the company I work for use nintex workflow to extend Sharepoint workflow capabilities. This includes nintex consuming webservice hosted on sharepoint’s IIS. The problem starts when one of the webservices are hosted on the sharepoint server’s IIS, but uses alternate Fully Qualified Domain Name (FQDN)

On IIS log you’ll see:

2015-02-24 06:52:14 GET /HRBenefit/ - 80 - Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 0 0 11781
2015-02-24 06:52:14 GET /HRBenefit/ - 80 - Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074254 15
2015-02-24 06:52:14 GET /HRBenefit/ - 80 - Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074252 15

The sc-win32-status “2148074252” refers to the failed login attempt, while “2148074254” means that there are no credentials available in the security package. Furthermore, on Security Event Viewer, I got this:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/24/2015 4:05:25 PM
Event ID:      4656
Task Category: File System
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      kestrel.falcon.local
A handle to an object was requested.

    Security ID:        FALCON\surfer
    Account Name:        surfer
    Account Domain:        FALCON
    Logon ID:        0x90F0284B

    Object Server:        Security
    Object Type:        File
    Object Name:        C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\ApplicationServer.Events.xml
    Handle ID:        0x0
    Resource Attributes:    -

Process Information:
    Process ID:        0x51d4
    Process Name:        C:\Windows\System32\mmc.exe

Access Request Information:
    Transaction ID:        {00000000-0000-0000-0000-000000000000}
    Accesses:        READ_CONTROL
                WriteData (or AddFile)
                AppendData (or AddSubdirectory or CreatePipeInstance)
    Access Reasons:        READ_CONTROL:    Granted by    D:(A;;0x1200a9;;;BA)
                SYNCHRONIZE:    Granted by    D:(A;;0x1200a9;;;BA)
                WriteData (or AddFile):    Not granted
                AppendData (or AddSubdirectory or CreatePipeInstance):    Not granted
                WriteEA:    Not granted
                ReadAttributes:    Granted by ACE on parent folder    D:(A;;0x1301bf;;;BA)
                WriteAttributes:    Not granted
    Access Mask:        0x120196
    Privileges Used for Access Check:    -
    Restricted SID Count:    0

After a wee bit of research, I found a Microsoft KB entries explaining what was happening to the server. So basically, starting 5.1 IIS will block an attempt to browse a locally hosted website or webservice which uses different name than the hostname of the machine. You can still use an alternate FQDN, but you can’t access it from the server itself. The KB also explain that the hostname check can be skipped by adding an entry to the server ‘s registry. To do that:

  1. Open regedit, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Right-click on Lsa, select New, then DWORD Value
  3. Put “DisableLoopbackCheck” as the name and press ENTER
  4. Right-click on “DisableLoopbackCheck”, then select Modify
  5. Put 1 in Value data box, press OK
  6. Quit Regedit, and restart IIS or the server

After IIS/the server finished restarting, the webservice should be accessible locally 😀

By ikhsan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.