Share via


DisableLoopBackCheck when routing through a Load Balancer (PowerShell sample included)

This post on this blog are provided “AS IS” with no warranties - Editing of the Registry is at your own risk.
 

Quick Summary

This has been fleshed out so many times and detailed very well by

Spencer https://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx and

Bob https://blogs.technet.com/b/sharepoint_foxhole/archive/2010/06/21/disableloopbackcheck-lets-do-it-the-right-way.aspx

The only recommended approach to correctly apply this change on Production is as per Method 1 as per the KB article (Spencer also reminds you, DO NOT DO Method 2 on a production server)

Why do we need more Info when a Load Balancer is Involved

The layout of entries is important and it must include the Load Balanced URL so see below.
I also include a PowerShell command to add the entries - this is particularly helpful when you have a few servers and a lot of URL's.
Antivirus software on a Server can block you.

What to do

The KB support is here https://support.microsoft.com/kb/926642
(EXTRACT FROM THE KB ARTICLE ABOVE)

Method 1: (Editing the Registry is dangerous so make sure you know what you are doing and have a back-up)

To do this, follow these steps for all the Web Front end Servers in the Farm (I complete this on all servers in the Farm in case I promote an App Server to become a WFE server)

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. In the Name column, type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
    1. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
      Note Type each host name on a separate line.
      Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.
  6. Quit Registry Editor, and then restart the IISAdmin service.
    (Open Services.msc and restart the IISAdmin Service - if you still have the issue then the server will need to be restarted -Schedule after hours)

NB: My 5 cents on the above:

    1. Ensure the Host Names are on a separate line with no characters or spaces inbetween (My examples below)
      mytest.sharepoint.com
      test.sharepoint.com
    2. Make sure you add the URL that is used by the Load Balancer otherwise you will still be prompted (My example below - this is dependent on how your redirection is configured)
      myloadbalancer.sharepoint.com

 

PowerShell example to add your URL's so you don't have to add each one manually:

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 -Name "BackConnectionHostNames" -value "mytest.sharepoint.com`r`ntest.sharepoint.com`r`nmyloadbalancer.sharepoint.com" -PropertyType MultiString

Simply replace your URL's where mine are and add any additional URL's making sure you include the New Line and Carriage Return characters `r`n inbetween each URL.

NB - ANTIVIRUS

Some Antivirus software will block both Manual and PowerShell editing of the Registry for the root below \Lsa.
You may have to temporarily disable the Antivirus whilst making these changes.

Comments

  • Anonymous
    January 01, 2003
    Thank you for the useful information.
  • Anonymous
    January 01, 2003
    Teodora, glad it helped. Jason, yes it does. The only time when it may not be required is if you configure SPN's for all servers and configure everything to run Kerberos which doesn't really make sense. There is a good article explaining it further here.https://marclsitinfrablog.wordpress.com/2013/01/03/windows-the-confusion-over-disableloopbackcheck-disablestrictnamechecking-and-kerberos/
  • Anonymous
    September 29, 2014
    There are many PowerShell scripts available to warm up SharePoint environments but they do not all handle
  • Anonymous
    March 26, 2015
    Is this still necessary with web applications configured for claims authentication?
  • Anonymous
    November 28, 2017
    Here is another way to use PowerShell to add host names:$HostNames = @()$HostNames += "sharepoint.contoso.com"$HostNames += "search.sharepoint.contoso.com"$HostNames += "admin.sharepoint.contoso.com"New-ItemProperty "hklm:SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Type MultiString -PSProperty BackConnectionHostNames -Value $HostNames
    • Anonymous
      November 29, 2017
      Thanks Robert