A quick guide to configuring the Loopback check


Update: A free tool is available that does all this for you in a GUI: Loopback Check configuration Tool released – free download

Hi dear friends!

401.1 Access denied…
If you try to access your newly created web application with a real nice FQDN or NetBIOS name and you end up getting a 401.1 Access denied…

Even after adding the site to the local intranet zone in IE…
Even after beeing prompted 3 times and filling in the correct credentials…
After setting up your Search to crawl you sites in a small farm whith crawl and web services on the same server…

You check and doublecheck your credentials, you add yourself as the farm admin, you try logging on with the farm account, but nothing…still 401.1…

I know this has been written about many times Before, but some things seem to still be missing…
Now everyone seems comfortable with the sparse description on how to ‘add hosts to the list’ which is pretty much what you do when configuring the loopback check the ‘secure way’. You can also disable the loopbackcheck completely, but why if there is no real reason. Read Spencer Harbars excellent post on the topic if you need explaining why this is so. It is a few years but it is still the truth!

The KB article 896861 for this is an old one and the title does not really tell you that this is the one you are looking for, ‘type the host name or the host names for the sites that are on the local  computer, and then click OK.’ is not crystal…

Jump to:
Configure Loopback check using the GUI
Configure Loopback check using Powershell
Credits and References


What you need to do is this step by step:

In ‘Metro’ mode, type regedit

Regedit1x

Regedit will most likely be the only result, hit enter

Regedit2

In regedit, find the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

First…

Regedit3x

then…

Regedit4x

Now, create a Multi-String Value under the MSV1_0 key.

Regedit5x

Type in the name of the new Multi-String value: ‘BackConnectionHostNames’, Hit Enter.

Regedit6x

Right click on the value BackConnectionHostNames and coose Modify.

Regedit7x

Add the URL you want to be able to access from a local browser on the server.

Regedit8

Don’t know why, but I seem to Always get this. Click Ok.

Regedit9

Viola!

Regedit10x

Adding multiple URL’s to the list of ‘trusted’ URL’s, simply make a new line between them.

Regedit11

That will look like this.

Regedit12x

To be extra sure that nothing else will sabotage functionality, check so that the URL’s are added to DNS.
(Or local hosts file)

DNS1x

Check so that the URL’s are added as bindings in IIS.

IIS1x

Verify that the URL’s are correct and are added to AAM.

AAM1x

Make sure that the URL is added to the Local Intranet Zone in Internet Explorer (if you need to browse the site from the server, NOT RECOMMENDED!).

IE3x

Try to access the URL in a browser.

IE1x

And the other URL.

IE2x

Done!

Doing the same using PowerShell

Using PowerShell to configure the Loopback check, requires two steps:

1. Add the multistring value to the registry
Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

2. Restart the IISADMIN service
Restart-Service IISADMIN

1. Add the multistring value to the registry

Given that you have Everything setup correctly, your AAM’s, your DNS entrys, (URL added to local intranetsites zone in IE), and so forth…you can use this single PowerShell command to exclude the URL’s for your sites from the loopbackcheck, this way, you don’t have to disable the loopbackcheck at all (Way better security).

The following command will add my two URL’s to the exclusion list, edit the values to add your own URL’s.

Run this in a PowerShell prompt running in elevaled mode/as Administrator

Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

Running this will if Everything is done right, show this

Powershell1

This is how it will look if it succeeds!

Powershell2

If you get ‘The property already exists.’, then you already have the ‘BackConnectionHostNames’ value added to the registry, check using registry editor to see if you can delete it or if it has other values that need to be there.

After a successful execution, check the registry to verify

Regedit12x

2. Restart the IISADMIN service

Now you have to restart the IISADMIN service in order for it to ‘reread’ the registry values and implement our Changes.
This is easy, in a PowerShell prompt running in elevaled mode/as Administrator

Restart-Service IISADMIN

Powershell3

Note the typo/bug in the text, it says stopping twice but what it does it stopping and starting

Done!

The command line in step 1 will add two (2) entries to the list, coolsite.corp.balkestahl.se and alias.corp.balkestahl.se. If you need to add more URL’s, add them to the Values, like: -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”, “mycoolnetbiosname”, “extraname.corp.balkestahl.se”).

Make sure that the doublequotes are formated in the proper way if you copy from this post!

That would make the command

Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”, “mycoolnetbiosname”, “extraname.corp.balkestahl.se”) -PropertyType “MultiString”

and

Restart-Service IISADMIN -force

References:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Can’t crawl web apps you KNOW you should be able to crawl (Todd Klindt’s oldie but goodie)
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=107

Thanks to:

As Always, Mattias Gutke! Now at CAG. Always a great help and second opinion!


___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Advertisements
  1. Anatoly Mironov
    May 11, 2013 at 08:05

    Reblogged this on CHUVASH.eu and commented:
    Great tutorial how to configure the loopback check on a dev machine. Exactly what I needed for a month ago. Pity that this article came after that. 🙂

  2. Kevin Latham
    June 6, 2014 at 21:44

    Best. Explanation. Ever.

  3. November 5, 2014 at 17:55

    This is a good article however can I just add something for anyone else struggling to get this working using the BackConnectionHostNames registry key. This technique only works if the hostname is DNS A record that resolves directly to the IP address.

    If it is a C-NAME then you must also add the A-Record. I have spent a few wasted hours today wondering why this did not work!

    In my case the hostname was a C-NAME for the FQDN of the machine itself so adding the FQDN of the machine fixed the problem.

    • November 5, 2014 at 18:59

      Hi.
      Great feedback, thanks!
      I’ll see if I can manage to get it updated.
      Regards
      // Thomas

  4. May 5, 2015 at 14:02

    Excellent article . Thanks for the post. I have blogged on my site @ http://tanveerkhan-sharepoint.blogspot.com.au/2015/05/issue-accessing-host-named-site.html

  1. July 30, 2013 at 15:18

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: