Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1 (887993)


The information in this article applies to:

  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition


Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

You upgrade a Microsoft Windows Server 2003-based computer that is running Microsoft Internet Information Services (IIS) 6.0 or Microsoft SQL Server 2000 to Windows Server 2003 Service Pack 1 (SP1). After you do this, users experience authentication issues when they use Web applications or when they use a program that queries the database. For example, a user may experience symptoms that are similar to one of the following:
  • The user receives an "Access denied" error message when the user tries to access a Web page that retrieves data from a back-end database.
  • The user cannot connect to another database server that is located in a Network Load Balancing (NLB) cluster. Queries to the database server fail.
The symptoms that users experience may vary depending on your particular environment.

CAUSE

This issue occurs if the service principal name (SPN) of the service is not authenticated. The SPN is not authenticated if the SPN is not registered to a service account. Windows Server 2003 SP1 includes loopback check functionality that is stored in the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck

By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the DisableLoopbackCheck registry entry is set to 0 (zero). The loopback check functionality prevents the program from registering the SPN.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, register the SPN with the account that the service runs under. To do this, set the DisableLoopbackCheck entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1, and then determine the name of the SPN.

To set the DisableLoopbackCheck registry entry to 1

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. Right-click DisableLoopbackCheck, and then click Modify.
  4. Type 1 in the Value data box, and then click OK.

To determine the name of the SPN

  1. Add the following registry entries, and then set each registry entry to the appropriate value as follows:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\LogLevel
      Value: 1
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\LogToFile
      Value: 1
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\KerbDebugLevel
      Value: c3
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel
      Value:1 1
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogToFile
      Value:1
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\KerbDebugLevel
      Value: c3
    To add a registry entry, follow these steps:
    1. Locate and then click the registry subkey where you want to add the registry entry.
    2. On the Edit menu, point to New, and then click DWORD Value.
    3. Type the name of the registry entry that you want to add, and then press ENTER.
    4. Right-click the registry entry that you added in step 2c, and then click Modify.
    5. Type the appropriate value for that registry entry, and then click OK.
    6. Repeat step 2a through 2e for each registry entry that you want to add.
    7. Quit Registry Editor.
  2. Restart the computer, and then reproduce the issue. After you do this, an event ID error message that is similar to the following is logged to the System log:
    Type: Error
    Source: Kerberos
    Category: None
    Event ID: 3
    Description: A Kerberos Error Message was received:
    on logon session
    Client Time:
    Server Time: TimeDate
    Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
    Extended Error:
    Client Realm:
    Client Name:
    Server Realm: DomainName.com
    Server Name: MSSQLSvc/DomainName.com:1433
    Target Name: MSSQLSvc/ServerName.DomainName:1433@DomainName.com
    Error Text:
    File: 9
    Line: ab8
    Error Data is in record data.
    Determine the SPN from the event ID error message. In this example, the SPN is MSSQLSvc/DomainName.com:1433.
  3. Use the Setspn.exe command-line tool to register the SPN to the appropriate service account. In IIS 6.0, the service account is typically the account that the WWW service runs under or the account that the application pool uses. In Microsoft SQL Server 2000, the service account is the account that SQL Server 2000 runs under. Use the following syntax to add a new SPN:

    setspn -a SPN DomainName\AccountName

    The following is an example of how to use the Setspn.exe command-line tool to add an SPN:

    setspn -a MSSQLSvc/NLBNAME.corp.domain.com:1433 DomainName\AccountName

MORE INFORMATION

The Setspn.exe command-line tool is included in Microsoft Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 CD.
Modification Type:MajorLast Reviewed:8/25/2005
Keywords:kbtshoot KB887993 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.