Symptom:
When
you browse to the ReportServer and Reports virtual roots using the host name specified
in your SSL certificate you are prompted three times to log in then land on a
blank page. Or you receive an ‘HTTP 401.1 – Unauthorized: Logon failed’
message.
Note You
only receive this error message if you try to browse directly on the server. If
you browse from another computer in the network, the SSRS site works as
expected.
Cause:
This issue occurs because
of a loopback-check security feature added in Windows Server 2003 SP1. Authentication
now fails if the host fully-qualified domain name (FQDN) specified in either your SSL certificate or any
custom host header (CNAME) alias that you use, does not match the local
computer name.
Work Around:
This issue and workaround
is more fully explained in Microsoft articles:
You should refer to and follow the
instructions there.
If those articles are
no longer available, a (possibly now out-of-date) snapshot of the instructions is
reproduced below.
Important This section, method, or task contains
steps that tell you how to modify the registry. However, serious problems might
occur if you modify the registry incorrectly. Therefore, make sure that you
follow these steps carefully. For added protection, back up the registry before
you modify it. Then, you can restore the registry if a problem occurs. For more
information about how to back up and restore the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
322756
How to back up and restore the registry in Windows
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
Create the Local Security Authority host names that can be referenced in an
NTLM authentication request
- Click Start, click Run, type regedit, and then click OK.
- Locate and
then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click
MSV1_0, point to New, and then click Multi-String Value.
- In the Name column, type BackConnectionHostNames, and then press ENTER.
- Right-click
BackConnectionHostNames,
and then click Modify.
- In the Value data box, type the
CNAME or the DNS alias that is used for the local shares on the computer,
and then click OK.
Note Type each FQDN host name on a separate line.
Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to first delete the BackConnectionHostNames registry entry. - Exit
Registry Editor, and then restart the computer.
