Share via


MBAM 2.5 Troubleshooting: Unable to open helpdesk or self service portal - unknown error has occurred.

  


Introduction

Deploying a highly available MBAM 2.5 infrastructure – two frontend servers with windows NLB and two backend with SQL Server 2012 Always On Availability Group.

Clients are able to successfully escrow keys, We can see the database is being populated with entries, everything work on client side.

  


Error

The problem starts when we try to retrieve keys from database. We get this error:

An unknown error has occurred. Please contact the Helpdesk or IT Department

Helpdesk website does not even open and throws following error:

Also we can see .NET exception with a response of Unauthorized 401 code:

 


Troubleshooting

First troubleshooting step was to disable loopback check as per this KB article: http://support.microsoft.com/kb/896861 on Frontend MBAM Servers :

To set the DisableLoopbackCheck registry key, follow these steps: 

Click Start, click Run, type regedit, and then click OK.

  1. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  2. Right-click Lsa, point to New, and then click DWORD Value.

  3. Type DisableLoopbackCheck, and then press ENTER.

  4. Right-click DisableLoopbackCheck, and then click Modify.

  5. In the Value data box, type 1, and then click OK.

  6. Quit Registry Editor, and then restart your computer.

After this we were able to access Helpdesk and SelfService Portal successfully.

 

Later we used Method 1 of same KB article which is :

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

  1. Set the DisableStrictNameChecking

    registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:  (http://support.microsoft.com/kb/281308/ )

    Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name

  2. Click Start, click Run, type regedit, and then click OK.

  3. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  4. Right-click MSV1_0, point to New, and then click Multi-String Value.

  5. Type BackConnectionHostNames, and then press ENTER.

  6. Right-click BackConnectionHostNames, and then click Modify.

  7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

  8. Quit Registry Editor, and then restart the IISAdmin service.

Reason for using Method 1 was to overcome Disable the loopback check will result in a less secure system, as it disables the protection against reflection attacks.

 


See also

Detailed explanation is covered here on this blog :

http://blogs.msdn.com/b/lukaszp/archive/2008/07/18/reporting-services-http-401-unauthorized-host-headers-require-your-attention.aspx

  


Credits

*Special thanks to **Abdulhakim Shuaifan *and Marek Kuzminski for their valuable contribution