Share via


Access Denied when attempting to administer via the AD RMS console - workaround

Some may have noticed that they get Access denied to the AD RMS management console after installing even when they are running as the same administrative account that installed the role.

Windows Server 2008 and later has a loopback check security feature. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a logon failure in the event log.

The problem is that accessing the web application via FQDN is exactly how the AD RMS console will behave by default, so the administrator may not be able to get into the console:

To resolve this go into the registry under :
HKEY_LM\system\CCS\Services\Lanmanserver\param
create a dword DisableStrictNameChecking.  Add a value of 1 to this new entry,
Exit Registry and reboot your box (no more reboots needed)

Reopen Registry and navigate to:
HKEY_LM\System\CCS\Control\LSA\MSV1.0 and create the following key
BackConnectionHostNames (REG_MULTI_SZ)
open this Multi-String Value and enter the sites you want included… ie your AD RMS site

No need for URLs here.. simply type in YourRMSServer.YourDomain.com
You can add multiple sites on a separate lines

Then you should be able to get into the console locally.

 

See Also