Share via


DisableLoopbackCheck. Lets do it the right way

Way too much debate out in Twitterville and through other folks that are just flat out wrong. Why wrong? Well in a test lab environment I have no problem with this but folks tend to get lazy and that is where you run risks in your production environment.

Now im not going lament on the whys as this was finely detailed by Spence Harbar and let me quote from his post

"What is the issue?
Windows Server 2003 SP1 introduced a loopback security check. This feature is obviously also present in Windows Server 2008. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a logon failure in the event log.

Unfortunately 401.1 is not really helpful as this error code means there is a problem with the user credentials. Of course, the HTTP spec doesn't know about security features in a vendor's implementation so there can't be a HTTP error code for such a feature. This can lead to much banging of the head on the desk. It's one of numerous causes of the 401.1 which are nothing to do with invalid credentials (e.g. attempting to use Kernel Mode Authentication with domain account in IIS7).

What this means is that when you browse a SharePoint Web Application which uses a fully qualified domain name from a WFE in the farm you will get a 401.1. This is very annoying on a development box, or when testing locally, or in other SharePoint specific scenario "

Ok so we have some background info the one thing my buddy doesn't do is show us how. Now the crux is that in https://support.microsoft.com/kb/896861 Microsoft details two such fixes for this. I am going to screenshot the right way to do this.

First off we need to add the following registry key to kick this off

 

In the screenshot above under HKEY_LM\system\CCS\Services\Lanmanserver\param we will create a dword DisableStrictNameChecking. Add a value of 1 to this new entry,

Exit Registry and reboot your box

Reopen Registry and nav to HKEY_LM\System\CCS\Control\LSA\MSV1.0 and create the following key as shown below

 

Once there simply open this Multi-String Value and enter the sites you want included… ie your SharePoint sites J

No need for URLs here.. simply type in (for this example) connect.contoso.com on a separate line your next site and on and on down the line.

The beauty of this method is that once you add this key you wont have to reboot your box after adding these entries.

So hope this post along with Spences stops the silly questions and even more so… wrong answers folks are following

Comments

  • Anonymous
    June 30, 2010
    Great tip! I never really liked the idea of completely disabling loopback check. Hope this makes it into all the "best practice" resources.

  • Anonymous
    November 20, 2013
    Note the URL to be entered needs to be the web app name and not the full URL to a site directly.

  • Anonymous
    August 10, 2014
    Microsoft Dynamics CRM 2013 Load Balancing

    I was recently asked if something would work in a load

  • Anonymous
    September 15, 2014
    This post on this blog are provided “AS IS” with no warranties - Editing of the Registry

  • Anonymous
    September 17, 2015
    This list helps developers and administrators to protect SharePoint Applications or portals from common

  • Anonymous
    March 08, 2016
    Pingback from Lync Control Panel–401.1 Unauthorized | Doug's Think-Tank