Issue
If you are using Nintex Workflows 2010 in your SharePoint Farm that is load balanced, and want to use the Web Service call action and you are using NTLM authentication. And you receive 401: Unauthorized errors when try to run the Call Web Service action, and you have verified that the account and password you are using is ok with doing the call. Then the reason is most likely a NTLM double-hop issue. Described in short you have already authenticated with your client credentials however NTLM does not permit a server to continue to use your credentials to authenticate on other servers so at the next hop (the Web Service call) the client credentials will no longer be valid. Googling for NTLM double-hop will give you a lot of links where you can read more about the subject.Solution
- For Development, Deactivate Windows Loopback check on your front ends servers.
- For Production, Add an entry in windows registry for BackConnectionHostNames.
- Reconfigure your Host-files so that the Load balanced URL points to the local servers external IP address.
Deactivate the loopback check in Windows 2008 R2
1. Click Start, click Run, type regedit and then click OK.
2. In Registry Editor located and then click the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD 32bit Value. Type DisableLoopbackCheck and then press Enter.
4. Right-click DisableLoopbackCheck, and then click Modify, in the Value data box type 1 and then click OK.
5. Quit Registry Editor and you might need to restart the server for the changes to take effect.
2. Navigate to the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click on MSV1_0, point to New, and then click Multi-String Value.
4. In the Name column, type BackConnectionHostNames and then press ENTER.
5. Right-Click BackConnectionHostNames and then press ENTER.
6. In the Value data box, enter the FQDN for the you're using to access your SharePoint site. If you have multiple hostnames then each one has to be entered on a new line like this:
www.mysite.com
www2.mysite.com
intra.mysite.com
7. Close Regedit and restart your server.
Note: If BackConnectionHostNames exists as a REG_DWORD you will have to delete it first and recreate it as a Multi-String value as in step 3.
127.0.0.1 < FQDN for you NLB >
Save an close the file. (If you cannot edit the host file in the etc folder. You might need to make a copy to the desktop and make the changes then copy it back.)
Repeat this on all server and you should be good to go.
2. In Registry Editor located and then click the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD 32bit Value. Type DisableLoopbackCheck and then press Enter.
4. Right-click DisableLoopbackCheck, and then click Modify, in the Value data box type 1 and then click OK.
5. Quit Registry Editor and you might need to restart the server for the changes to take effect.
Add an Entry to BackConnectionHostNames
1. Start Regedit on the server2. Navigate to the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click on MSV1_0, point to New, and then click Multi-String Value.
4. In the Name column, type BackConnectionHostNames and then press ENTER.
5. Right-Click BackConnectionHostNames and then press ENTER.
6. In the Value data box, enter the FQDN for the you're using to access your SharePoint site. If you have multiple hostnames then each one has to be entered on a new line like this:
www.mysite.com
www2.mysite.com
intra.mysite.com
7. Close Regedit and restart your server.
Note: If BackConnectionHostNames exists as a REG_DWORD you will have to delete it first and recreate it as a Multi-String value as in step 3.
Add an entry to the servers Host-file
Navigate to you server Host-file and make an entry that looks like this127.0.0.1 < FQDN for you NLB >
Save an close the file. (If you cannot edit the host file in the etc folder. You might need to make a copy to the desktop and make the changes then copy it back.)
Repeat this on all server and you should be good to go.
