MS IIS Setting: HTTP Failed To Connect if Using Machine Name

A

Ahmad A. Rahman

Dear Experts,

Previously I'm working on Microsoft IIS 6 on Win XP Pro SP2 to host my web
application and its for development and testing purpose. Normally I use the
machine name instead of localhost. So, I always use something like,
http://mymachine/MYAPP/application.dll.

But a few weeks ago, I had manually updated the Windows Update, guessing
that it might help me on resolving security vulnerabilities in Windows,
(which I'm not sure what). So after the update, I can no longer use my
machine name and I have to use the localhost instead. Of course this is OK
if I'm working on this machine alone, but I also need to do testing from
other PC directing to this machine as well.

I tried to telnet to port 80, and it failed to establish connection if I'm
not using the name 'localhost'. Looks like it block the usage of port 80 if
I'm using the machine name. Seems to me that this only require a little
twist somewhere,... but I really have no clue where.

I tried to uninstall the whole Windows Update. Tried to stopped windows
firewall, stopped anti-virus, tweak system setting. But all to no avail.

Can anybody here be kind enough to help me?

Thank you.
 
A

Ahmad A. Rahman

OK, its not IIS 6. And you cant install it in XP. My mistake.

Please help resolving the issue.
 
R

Roger Abell [MVP]

How far out of date was this XP on service as obtained from
Windows Update ? Was SP 2 part of the new service applied?

When you say "all to no avail" what do you mean ? that you
could not shut off the firewall or that it made no difference?

That you pull up content with localhost shows that IIS is working.
Use of localhost does not go out the network interface, so either
tcp 80 is not being allowed in or the website is configured with
hostheaders to only allow response when hit upon with certain
host names (like localhost) in use.
 
A

Ahmad A. Rahman

No. SP2 is not part of the update. I already installed SP2 long time ago and
its working well (I can go to port 80 using machine name).

Yes. It's like tcp 80 not being allowed to accept connection if using the
the machine name. I had actually experienced this twice in different
machine. It all happened after I applied Windows Update. I do not sure which
Windows Update package because I normally download and install a whole bunch
of them. After I installed them and reboot, then it happened. I'm sure that
its part of the security feature that was enforced on the system. But I do
not know how to tweak it back to normal again.

I'll gonna do some more testing first and let you know the results.
 
A

Ahmad A. Rahman

OK, it is confirmed to be IIS setting. and not TCP/IP network interface or
firewall filter.

The reason: Just now I tried to use Apache Tomcat webserver and point to
port 80, and I use the machinename, ITS WORKING FINE!!
Tried to telnet to port 80 using the machine name, and of course it is
working as well (using Tomcat).

So, the question now is, where is the IIS setting that filter out the
connection if using machinename? It must be somewhere. I'll let you guys
know when I found it. But appreciate if you guys can help me too. :)

Thanks.
 
R

Roger Abell [MVP]

The only place I am aware of that might fit the bill is on the
general properties of the website where one defines what
IP the site responds to, as there one can state for what names
(i.e. host headers) the IP will be effective.
 
D

David Wang

No, you didn't confirm it to be IIS setting because the conclusion does
not make sense. There is no such setting to filter out connections by
machinename.

Why? Because the machinename is not used to make a connection to IIS.
The client does a DNS lookup on the machinename to obtain a IP-address,
and then it makes a TCP/IP connection to port 80 of that IP-address
using the HTTP protocol. IIS never sees the machinename, so how can it
filter out such connections?

Now, there is a documented XPSP2 security patch at the TCP/IP level
which affects local-loopback connectivity via the IP-address associated
with the machinename. It mainly affects NTLM Authentication, which is
enabled on IIS but not Apache. I forget the exact patch# but I know it
exists. And it has a Registry switch to disable that security behavior.

Why it works for Tomcat server, not certain - maybe Java uses its own
networking stack at the native layer.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
 
A

Ahmad A. Rahman

David,

I think you are correct. And your explaination make sense. It must be at the NTLM authentication level or somewhere after TCP/IP receive the request, but bounced it back off. I know that Apache does not use NTLM and that makes the process is much simpler.

I tried to uninstall and re-install IIS just now, and apparently, it is still not working.

It must be somewhere in the registry. Somewhere in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Not sure which key, I'm afraid that I'll blow my whole operating system.

As for the status, I copy this the console message:


--------------------------------------------------------------------------------

D:\Documents and Settings\Ahmad>telnet rahman 80
Connecting To rahman...Could not open connection to the host, on port 80: Connec
t failed

D:\Documents and Settings\Ahmad>telnet rahman 25

D:\Documents and Settings\Ahmad>telnet localhost 25

220 rahman Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Wed, 2
9 Nov 2006 21:45:44 +0800
QUIT
221 Closing connection. Good bye.


Connection to host lost.

D:\Documents and Settings\Ahmad>


--------------------------------------------------------------------------------



Telnet to port 25 is also not successful if using machinename. The journey will continue for me.

But It's weird. Am I alone affected by this weird problem? Anyone out there has got this kind of mess?

Thanks.



No, you didn't confirm it to be IIS setting because the conclusion does
not make sense. There is no such setting to filter out connections by
machinename.

Why? Because the machinename is not used to make a connection to IIS.
The client does a DNS lookup on the machinename to obtain a IP-address,
and then it makes a TCP/IP connection to port 80 of that IP-address
using the HTTP protocol. IIS never sees the machinename, so how can it
filter out such connections?

Now, there is a documented XPSP2 security patch at the TCP/IP level
which affects local-loopback connectivity via the IP-address associated
with the machinename. It mainly affects NTLM Authentication, which is
enabled on IIS but not Apache. I forget the exact patch# but I know it
exists. And it has a Registry switch to disable that security behavior.

Why it works for Tomcat server, not certain - maybe Java uses its own
networking stack at the native layer.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 10 laptop won't update 9
command not working to get netsh to block a single IP 0
run IIS and Apache? 3
XP smtp issues 5
WCF service on IIS 5.1 does not works (XP Pro) 2
Can't get IIS to work in duplicate Vista install on same machine 1
IIS question 5
Problems with data updating following changing machine 2

Top