A quick guide to configuring the Loopback check

Update: A free tool is available that does all this for you in a GUI: Loopback Check configuration Tool released – free download

Hi dear friends!

401.1 Access denied…
If you try to access your newly created web application with a real nice FQDN or NetBIOS name and you end up getting a 401.1 Access denied…

Even after adding the site to the local intranet zone in IE…
Even after beeing prompted 3 times and filling in the correct credentials…
After setting up your Search to crawl you sites in a small farm whith crawl and web services on the same server…

You check and doublecheck your credentials, you add yourself as the farm admin, you try logging on with the farm account, but nothing…still 401.1…

I know this has been written about many times Before, but some things seem to still be missing…
Now everyone seems comfortable with the sparse description on how to ‘add hosts to the list’ which is pretty much what you do when configuring the loopback check the ‘secure way’. You can also disable the loopbackcheck completely, but why if there is no real reason. Read Spencer Harbars excellent post on the topic if you need explaining why this is so. It is a few years but it is still the truth!

The KB article 896861 for this is an old one and the title does not really tell you that this is the one you are looking for, ‘type the host name or the host names for the sites that are on the local  computer, and then click OK.’ is not crystal…

Jump to:
Configure Loopback check using the GUI
Configure Loopback check using Powershell
Credits and References

What you need to do is this step by step:

In ‘Metro’ mode, type regedit


Regedit will most likely be the only result, hit enter


In regedit, find the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0





Now, create a Multi-String Value under the MSV1_0 key.


Type in the name of the new Multi-String value: ‘BackConnectionHostNames’, Hit Enter.


Right click on the value BackConnectionHostNames and coose Modify.


Add the URL you want to be able to access from a local browser on the server.


Don’t know why, but I seem to Always get this. Click Ok.




Adding multiple URL’s to the list of ‘trusted’ URL’s, simply make a new line between them.


That will look like this.


To be extra sure that nothing else will sabotage functionality, check so that the URL’s are added to DNS.
(Or local hosts file)


Check so that the URL’s are added as bindings in IIS.


Verify that the URL’s are correct and are added to AAM.


Make sure that the URL is added to the Local Intranet Zone in Internet Explorer (if you need to browse the site from the server, NOT RECOMMENDED!).


Try to access the URL in a browser.


And the other URL.



Doing the same using PowerShell

Using PowerShell to configure the Loopback check, requires two steps:

1. Add the multistring value to the registry
Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

2. Restart the IISADMIN service
Restart-Service IISADMIN

1. Add the multistring value to the registry

Given that you have Everything setup correctly, your AAM’s, your DNS entrys, (URL added to local intranetsites zone in IE), and so forth…you can use this single PowerShell command to exclude the URL’s for your sites from the loopbackcheck, this way, you don’t have to disable the loopbackcheck at all (Way better security).

The following command will add my two URL’s to the exclusion list, edit the values to add your own URL’s.

Run this in a PowerShell prompt running in elevaled mode/as Administrator

Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

Running this will if Everything is done right, show this


This is how it will look if it succeeds!


If you get ‘The property already exists.’, then you already have the ‘BackConnectionHostNames’ value added to the registry, check using registry editor to see if you can delete it or if it has other values that need to be there.

After a successful execution, check the registry to verify


2. Restart the IISADMIN service

Now you have to restart the IISADMIN service in order for it to ‘reread’ the registry values and implement our Changes.
This is easy, in a PowerShell prompt running in elevaled mode/as Administrator

Restart-Service IISADMIN


Note the typo/bug in the text, it says stopping twice but what it does it stopping and starting


The command line in step 1 will add two (2) entries to the list, coolsite.corp.balkestahl.se and alias.corp.balkestahl.se. If you need to add more URL’s, add them to the Values, like: -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”, “mycoolnetbiosname”, “extraname.corp.balkestahl.se”).

Make sure that the doublequotes are formated in the proper way if you copy from this post!

That would make the command

Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”, “mycoolnetbiosname”, “extraname.corp.balkestahl.se”) -PropertyType “MultiString”


Restart-Service IISADMIN -force


You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)

Can’t crawl web apps you KNOW you should be able to crawl (Todd Klindt’s oldie but goodie)

Thanks to:

As Always, Mattias Gutke! Now at CAG. Always a great help and second opinion!




Twitter | Technet Profile | LinkedIn


9 thoughts on “A quick guide to configuring the Loopback check

  1. Reblogged this on CHUVASH.eu and commented:
    Great tutorial how to configure the loopback check on a dev machine. Exactly what I needed for a month ago. Pity that this article came after that. 🙂

  2. This is a good article however can I just add something for anyone else struggling to get this working using the BackConnectionHostNames registry key. This technique only works if the hostname is DNS A record that resolves directly to the IP address.

    If it is a C-NAME then you must also add the A-Record. I have spent a few wasted hours today wondering why this did not work!

    In my case the hostname was a C-NAME for the FQDN of the machine itself so adding the FQDN of the machine fixed the problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s