Lately I’ve been playing with RavenDb, for building the website of the Web.NET Conference, and after first testing with the embedded db, I decided that it was better to go to “server mode”.

So I followed the instruction on how to set it up as IIS application, and I got it working pretty quickly: I could access the management studio from the browser and run the site on my development machine connected to the instance running on the server (by specifying the credentials in the connection string).

When I was ready to publish it for doing some real test on the server it stopped working, and I was getting a “Credentials not valid” error, which was quite bizarre as it was exactly the same connection string I was using to connect the same database from my dev machine.

I posted on the RavenDb mailing list, and Ayende offered to help me debug the problem: he already encountered the same problem and blogged about that last year.

the problem is that as security measure, when you are locally on a server, you can authenticate via Windows Authentication only to sites responding to machine name:

This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Here the full Microsoft KB article: KB896861.

This is used to prevent reflections attacks.

To solve this problem you have three options:

  • make your site respond also to the machine name (obviously works only with one website per server)
  • disable, via a registry key, this loopback check only for some specified host names
  • disable, still via a registry key, the loopback check, on the entire server

In my case the first was not possible, the second approach didn’t work (as also didn’t work for Ayende) so I had to implement the 3rd registry hack.

To get the details of the solution, I won’t copy them here: just go to the KB article linked above or to a much nicer post that explains things in more detail:  Account failed to log on (0xc000006d) – Unable to load website from local server.

After restarting the server I was able to access the Management Studio locally from the server, but still the application was not connecting to the server: to make it work I had to remove the username and password from the connection string because probably the process of the web site was already authenticated using Integrated Authentication to the other IIS site under which RavenDb is running.

It took me (and Ugo) a whole day to solve this nasty problem, but now we have a RavenDb server up and running …