401 access denied when accessing /_vti_bin/Lists.asmx on an aliased website

This error happens on a SharePoint 2007 server, the web services is accessed by an alias url which does not exist in DNS. And we put a host name into our server’s HOSTS file alias

and one of our applications accesses http://alias/_vti_bin/Lists.asmx on the server programmically. The application fails because it gets 401 access denied from IIS.

In the security eventlog, I saw the following event

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: –
Caller Domain: –
Caller Logon ID: –
Caller Process ID: –
Transited Services: –
Source Network Address: IP_Address
Source Port: Port_Number

After some research, I found this problem was related with this article by Microsoft http://support.microsoft.com/default.aspx?scid=kb;en-us;896861#top

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Microsoft claims this security update http://support.microsoft.com/kb/957097/ could have caused the issue.  I checked the log of this server and found this security update was installed on 12/4/2008. It roughly matches the time when the problem was first noticed.


Leave a Reply

Your email address will not be published. Required fields are marked *