Access denied – Microsoft loopback security check

I recently experienced an issue with a server which had me scratching my head for a couple of hours.  Fortunately my colleague had previously experienced this issue and promptly directed me to a Microsoft KB which allowed me to resolve the issue.

In Windows 2003 SP1 and above (IIS 5.1+) Microsoft built a new security feature into IIS to prevent reflection attacks.  This feature looks at the FQDN or custom host header being used and if it differs from the local machine name you may receive access denied or unauthorised errors when services call themselves locally.

With regard to SharePoint problems can surface with indexer access issues or any web service calls to the local machine.

There are a couple of fixes available (which are described in the Microsoft KB linked below) and both involve registry updates:

Method 1: Specify host names (Preferred method if NTLM authentication is desired)
Method 2: Disable the loopback check (less-recommended method)

I chose the second option for brevity (but this may not be the best option for your situation).  Before making any changes to the registry it is worth taking a moment to back it up.

In order to disable the loopback check a DWORD key named DisableLoopbackCheck with a value of 1  must be added to the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Restart the IIS Admin Service (a reboot may be required before these changes take effect) and the new settings should be in place.  With the loopback check disabled the FQDN or custom host header no longer causes a problem.

Take a look here for more detailed information from Microsoft:
http://support.microsoft.com/kb/896861

Advertisements
This entry was posted in IIS, IIS 7, Registry, Search, Security, SharePoint, SharePoint 2010, Windows and tagged , , , , , , , , . Bookmark the permalink.

One Response to Access denied – Microsoft loopback security check

  1. Patrick says:

    Unfortunately I have already spend a hour trying to work out what was wrong. But after reading your article, it is all fixed now. Thanks for sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s