none
TFS服务器上无法通过域名访问自己 RRS feed

  • 问题

  • 给TFS服务器新申请了域名(alm.company.com.cn),在该机器的IE上访问alm.company.com.cn:8080/tfs时,反复弹出登录页面,换了多个域用户也是。

    在8080站点绑定了域名,无效。tfs是以域账号作为服务账户的。

    多台服务器都是这现象,导致我们运行的另一个调用TFS服务报:无法访问alm.company.com.cn:8080/tfs(通过IP访问是可以的)。

    有人遇到过这现象吗?该如何解决啊

    2016年7月20日 7:42

答案

  • 那个地方还没配成域名

    导入下面的注册表,解决了

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
    "DisableStrictNameChecking"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "DisableLoopbackCheck"=dword:00000001

    下面是有关 loopback问题的由来以及应对措施:

     

    Windows Server 2003 SP1 introduced a loopback security check. This feature is obviously  also present in Windows Server 2008. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from  the web server and a logon failure in the event log.

     

    Unfortunately 401.1 is not really helpful as this error code means there is a problem  with the user credentials. Of course, the HTTP spec doesn’t know about security features in a vendor’s implementation so there can’t be a HTTP error code for such a feature. This can lead to much banging of the head on the desk. It’s one of numerous causes  of the 401.1 which are nothing to do with invalid credentials (e.g. attempting to use Kernel Mode Authentication with domain account in IIS7).

     

    This problem occurs because of the way that NT LAN Manager (NTLM) treats different  naming conventions as remote entities instead of as local entities. A local authentication failure might  occur when the client calculates and caches the correct response to the NTLM challenge that is sent by the server in local "lsass" memory before the response is sent back to the server. When the server code for NTLM finds the received response in the local "lsass" cache, the code does not honor the authentication request and treats it as a replay attack. This behavior leads to a local authentication failure.

     

    This issue was introduced from a security fix:

    http://support2.microsoft.com/kb/957097/en

     

    To work around this issue, we have two ways to do that:

    http://support2.microsoft.com/kb/896861

    2016年7月22日 2:40

全部回复

  • tfs层的服务器映射,也要用域名



    2016年7月20日 8:19
  • 那个地方还没配成域名

    导入下面的注册表,解决了

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
    "DisableStrictNameChecking"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "DisableLoopbackCheck"=dword:00000001

    下面是有关 loopback问题的由来以及应对措施:

     

    Windows Server 2003 SP1 introduced a loopback security check. This feature is obviously  also present in Windows Server 2008. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from  the web server and a logon failure in the event log.

     

    Unfortunately 401.1 is not really helpful as this error code means there is a problem  with the user credentials. Of course, the HTTP spec doesn’t know about security features in a vendor’s implementation so there can’t be a HTTP error code for such a feature. This can lead to much banging of the head on the desk. It’s one of numerous causes  of the 401.1 which are nothing to do with invalid credentials (e.g. attempting to use Kernel Mode Authentication with domain account in IIS7).

     

    This problem occurs because of the way that NT LAN Manager (NTLM) treats different  naming conventions as remote entities instead of as local entities. A local authentication failure might  occur when the client calculates and caches the correct response to the NTLM challenge that is sent by the server in local "lsass" memory before the response is sent back to the server. When the server code for NTLM finds the received response in the local "lsass" cache, the code does not honor the authentication request and treats it as a replay attack. This behavior leads to a local authentication failure.

     

    This issue was introduced from a security fix:

    http://support2.microsoft.com/kb/957097/en

     

    To work around this issue, we have two ways to do that:

    http://support2.microsoft.com/kb/896861

    2016年7月22日 2:40
  • 我也不确定你的这样是否能真正解决,我是参考下面这篇文章设置的:

    设置DisableLoopbackCheck 参数

    然后才能配置成为域名。




    2016年7月22日 5:08