When deploying a Lync Server the other day I spent a good 15 mins (stupid me) trying to figure out why I couldn’t open the Lync CSCP control panel from the Lync Server – I kept getting:
HTTP Error 401.1 – Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I had defined an Admin URL when establishing my topology (and published it), plus I had set the appropriate DNS records within my domain to make the CSCP site resolve – still no Dice. I finally ended up trying from another server which had Silverlight installed… It worked!?!
So what was the cause?
Back in Win Server 2003 Sp1 (and subsequent versions of Windows) Microsoft introduced a loop-back security check. This feature prevents access to a web application using a fully qualified domain name (FQDN) if the attempt to access it takes place from a machine that hosts that application. The end result is a 401. 1 Access denied from the web server and a logon failure event in the Windows event log.
A work around for the issue if you really want to access the Lync CSCP from the Lync server itself (using anything other than https://localhost/cscp):
- Logon on to the Lync server with an account that is member of the local admins group
- Start “regedit”
- Navigate and expand the following reg key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters”
- Right-click Parameters, click New, and then click DWORD (32-bit) Value.
- In the Value name box, type DisableStrictNameChecking, and then press ENTER.
- Now navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0”
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name (or the host names) for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart your server
You should be good to go 🙂
For more reading + another possible (and less-secure) work around for a lab environment see KB896861