We have NetScaler as load balance in front of multiple IIS servers and we have VIP setup for the Webapps. Users http://SharePointWebApp. However, if the web service is invoked from each individual server such as from the Infopath Webbased form, it generates exception described above. We had this issue before on SharePoint 2007 over two years ago, I though it would be beneficial to record the solution so we will not forget in the future.
There are many possibilities that could cause (401) Unauthorized error. The two major issues if you are using load balancer with multiple IIS servers and setup the alias or VIP for the webapp are authentication loop back issue and load balancer did not return the local host IP issue. You need to fix both of them in order to make web service calls successfully. Here are the procedure to fix them.
1. Authentication loop back issue
The cause was .net 3.5 sp1 - the fix for me was to add a key to the registry to disable authentication double look up. The way to do it is to set the DisableLoopbackCheck registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1.
To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor.
- Restart the computer
2. Load balancer web service call does not return back to the local server. It seems like the web service call fails if the call initialized from one of the servers behind the Load balancer but pointing to web service using VIP alias.
Here are the steps to find the IPs and fix this.
First, you would need to identify the IP for Webapp VIP alias. If your site URL for the is http://SharePointWebApp, you could identify the IP for it from the IIS server using the command and the IP is 22.44.555.66.
C:\ >ping SharePointWebApp
Pinging sharepoinwebapp.compony.com [22.44.555.66] with 32 bytes of data:
Reply from 22.44.555.66: bytes=32 time=1ms TTL=255
Second, find the IP for the IIS server behind the load balancer using the command ipconfig like below and the IP is 77.33.99.44.
C:\Users\osstst1>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : xxxxxxxxx
Primary Dns Suffix . . . . . . . : na.compony.com
Node Type . . . . . . . . . . . . : Peer-Peer
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : compony.com
......
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 77.33.99.44(Preferred)
Third, you added one line entry into host file that is located at C:\Windows\System32\drivers\etc\host. Add one additional line like:
77.33.99.44 SharePointWebApp
Forth, you flush the DNS Resolver Cache using command and verify the WebApp VIP IP original value 22.44.555.66 returned by ping that will changed to local IIS server IP that is 77.33.99.44.
C:\>ipconfig /flushdns
C:\ >ping SharePointWebApp
Pinging sharepoinwebapp.compony.com [77.33.99.44] with 32 bytes of data:
Reply from 22.44.555.66: bytes=32 time=1ms TTL=255
Now, the web service called by Infopath Webbased form on SharePointIIS server will not go back to the load balancer. It will call web service hosted by the same host server.
By changing these two settings, you should be able to resolve (401) Unauthorized error.
Good luck.
How can you implement this without affecting the load balancer? It seems like once this fix is in place you are no longer balancing the load?
ReplyDeleteTechnically, if you're using VIP then you're already balanced to one of the WFE/IIS servers. If you think about it, VIP sent you to one of the many IIS servers, with load balancing you're then getting just the web service request bounced to another server. By doing the hosts change you're just making it stick to the server that VIP sent you to.
ReplyDeleteIf this doesn't resolve the problem, what would you suggest?
ReplyDeleteThanks Harry - this article saved my day!!
ReplyDeleteGreat post just what I was looking for.
ReplyDeletePolski Dentysta Londyn
A nice word on your part.
ReplyDeleteSissy
these errors really need to be addressed and fixed. These are security risks that cannot be taken lightly. bet.com/activate
ReplyDelete