Microsoft has introduced new feature – Loopback Security Check in Windows Server 2003 SP1 to prevent access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a log on failure in the event log.
To ensure all the calls initiated from the server itself does not result into any HTTP 401 errors in IIS logs, Microsoft has suggested to either disable loop back check security feature entirely on the SharePoint servers or configure list of URLs you want to access from server itself in 896861 KB Article – http://support.microsoft.com/kb/896861
- More detailed explanation of Microsoft KB Article regarding Loopback Check Security feature – http://iedaddy.com/2009/04/sharepointdisable-loopback-check/
- Spencer Harbar’s article on why you don’t want to disable loopback check on Production Server – http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx
Production and Staging Environments
For the staging and production environment, it is recommended to configure list of URLs and web site addresses you want to exclude. Plan to disable the loopback check feature initially to ensure SharePoint sites are accessed from servers using host headers (see next step – Development and Test environments) during installation and configuration of servers and later configure list of addresses you want to exclude once SharePoint web applications are configured before go-live.
Development and Test Environments
For the development and test environment, plan to disable the loopback check completely to enable debugging and testing locally from the server. Plan to add a DisableLoopbackCheck value to the registry under the assumption that a host header will be used. Please note DisableLoopbackCheck is not needed if you are using ServerName to refer your SharePoint URLs.
- From the Start menu, click Run and enter “regedit” to launch the Registry Editor.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, create a DWORD for DisableLoopbackCheck and enter a value of “1” (hexadecimal).
After you enter the value, click OK to finish editing.