«
»

SharePoint 401.1 Authentication error when accessing from the local machine


I know this has been posted all over but I’m adding my own since I can never seem to remember it.  It tends to pop back up whenever I bring up a temporary server or a farm recovery server. 

I believe it was in Windows Server 2003 SP1 that Microsoft released a security update that put a bunch of SharePoint admins into a minor panic.  This update caused you to be denied access to your own farms from the local machine(s).  You could browse just fine from a remote machine but if you tried to access it locally, you got the following error after a few failed authentication attempts:

greenshot_2009-06-09_12-40-17

You may also notice the following in the security event log:

greenshot_2009-06-09_12-52-32

The biggest problem with this wasn’t the fact that you could no longer access your machine locally.  The likely reason you found about this is because your users told you that search was broken!  Since SharePoint indexes itself by browsing to itself locally, it would no longer run either! 

The update brings about a loopback security check for IIS 5 and IIS 6. It helps to prevent against reflection attacks.  For more on reflection attacks, check out wikipedia.  I admit I had to look it up.

Now we know what it is so how do we let it know it can trust us to access our own machines locally?  Thankfully this is pretty easy.  There are two ways to do this, you can either disable the loopback check completely or you can specify host names that it will allow.  I would recommend the latter since having this in place would be a good security practice. 

First off, open the registry* (REGEDIT) and browse to:

HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0

Create a new multi-string value called: BackConnectionHostNames and add the host names to it.  After that, restart the IIS Admin service or better yet, restart the machine.

Now if you would rather disable the service, browse to:

HKLM\System\CurrentControlSet\Control\Lsa

Create a new DWORD value called DisableLoopbackCheck. Give it a value of 1 and restart.  After that, you should be set.

Last thing I want to say is it’s probably a good idea to do this to all of your front end and application servers.  It shouldn’t be necessary to do it on your SQL server unless it is on the SharePoint server or you are possibly experiencing the problem with SQL reporting.

Microsoft’s documentation on this feature is available at: http://support.microsoft.com/default.aspx/kb/896861

*It goes without saying but becareful in the registry.  Take all necessary precautions before messing around in here

This entry was posted on June 9, 2009, 12:38 pm and is filed under SharePoint. You can follow any responses to this entry through RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.

  1. No comments yet.
(will not be published)