Wednesday 23 June 2010

Use BackConnectionHostNames instead of DisableLoopbackCheck in production

If you're running SharePoint, you may have come across advice to configure the DisableLoopbackCheck registry key if you're running Windows 2003 SP1 and above and/or .NET 3.5 SP1.

Adding the DWORD will certainly keep you up and running and avoid search/crawl errors like the below but it's not the way to be doing in a production environment, despite popular belief.

Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled. (The item was deleted because it was either not found or the crawler was denied access to it.)

What you should be doing in production is configuring specific sites by name using the BackConnectionHostNames Multi-String Value below HKEY_LM\system\CurrentControlSet\Control\LSA\MSV1.0. The Microsoft KB article isn't clear about the format this value should take but I've found adding each site without the scheme on a new line works.

Here's an example:

intranet1.site.com
intranet2.site.com

Bob Fox additionally suggests adding a new DWORD named DisableStrictNameChecking with a value of 1 to HKEY_LM\system\CurrentControlSet\Services\Lanmanserver\parameters and rebooting to avoid having to reboot every time a new site is configured. I got away without rebooting at all by simply restarting the IISAdmin service.

7 comments:

  1. by site do you mean site collection, sub-site or are you referring to web application?

    ReplyDelete
  2. @Anonymous: this change affects IIS (I guess) so by 'site' I'm referring to whatever host header you used when creating the web application (or the hostname:port if you didn't use a host header).

    ReplyDelete
  3. This solution worked like a charm, especially, on a site where SSL is enabled and a certificate is installed.

    Thanks, once again !

    ReplyDelete
  4. Hi and thanks for your useful post!
    Do you need to do this on all WFE?
    If so the IISadmin service will also have to be restarted on the WFE then ?

    ReplyDelete
  5. @chouf, yep all WFEs and iisreset on each WFE (or reboot if necessary in your case).

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. I was hoping this would fix my http://mysitecollectionURL.domain.com/_layouts/15/AccessDenied.aspx

    I added the hostname of my webapplication in the regedit and restarted, but am still getting the same error of "this site is not shared with you"

    ReplyDelete

Spam comments will be deleted

Note: only a member of this blog may post a comment.