вторник, 26 апреля 2016 г.

IIS, localhost, Access Denied



You are almost certainly running into the Windows loopback check that was introduced with IIS 5.1. This is a security feature to avoid certain types of reflection attacks against the system.
Microsoft has a KB article describing workarounds. They basically boil down to modifying the registry to either disable the loopback check, or to allow certain hostnames (e.g. your local host name or site name) to back-connect.
You can quickly disable the check via PowerShell:

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -Value "1" -PropertyType dword

Method 1: Specify host names (Preferred method if NTLM authentication is desired)
  1. Set the DisableStrictNameChecking registry entry to 1.
  2. Click Start, click Run, type regedit, and then click OK.
  3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  4. Right-click MSV1_0, point to New, and then click Multi-String Value.
  5. Type BackConnectionHostNames, and then press ENTER.
  6. Right-click BackConnectionHostNames, and then click Modify.
  7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  8. Quit Registry Editor, and then restart the IISAdmin service.

Method 2: Disable the loopback check (less-recommended method)
  1. Set the DisableStrictNameChecking registry entry to 1.
  2. Click Start, click Run, type regedit, and then click OK.
  3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value.
  5. Type DisableLoopbackCheck, and then press ENTER.
  6. Right-click DisableLoopbackCheck, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Quit Registry Editor, and then restart your computer.

Addendum:
To set the DisableStrictNameChecking registry entry to 1:
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  3. Right-click Parameters, point to New, and then click DWORD Value.
  4. Type DisableStrictNameChecking, and then press ENTER.
  5. Right-click DisableStrictNameChecking, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart your computer.


https://support.microsoft.com/en-us/kb/926642
Ярлыки: