LoopbackCheck and Scheduled Tasks

I came across a scenario where the same scheduled task would work on some servers, but not on others. The script that the scheduled task was kicking off used the DownloadString method of the Net.WebClient object to return the source code of a specific website. The website that it was accessing resided on the same server we were running the scheduled task from.

When running the script manually from the server, it worked fine. When kicking off the script through task scheduler and NOT choosing the 'Do not store password. The task will only have access to local resources.', the script worked fine. The fun began when we were forced to check the  'Do not store password. The task will only have access to local resources.' due to security requirements. Now, the script would run inconsistently across servers. On the servers where it would fail, it would throw a 401 Unauthorized error and you would see in the security logs that it was trying to use ANONYMOUSUSER and NTLM instead of the account I chose in the task and Kerberos.

After a lot of poking around, I was able to track it down to the LoopbackCheck. The servers where it was working had the DisableLoopbackCheck entry set to 1 in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. The servers that were failing did not have this set.

If you are experiencing similar issues, there are two ways you can resolve it. One is to add the DisableLoopbackCheck into your registry(Less secure - not recommended for production servers). The other is to use the BackConnectionHostNames registry entry and enter in all host names that will be used on that box. More detail on both methods can be found here: https://support.microsoft.com/kb/896861