DisableLoopBackCheck Alternative (for Production)

So, true story…
I have been working in a global company and there are three environments (test, pre and prod). Test- and Pre-environments had disableloopbackcheck enabled – Production didn’t. Now in Production there was an error whenever a SharePoint WebPart, Custom Code or Workflow Solution (i.e. Nintex) was trying to call a web service hosted on the farm. There is basically only one WFE, so whenever they were calling they were calling the WFE they were calling from, i.e. service caller == service provider. Classic DisableLoopBackCheck Scenario.

You can verify this by checking the IIS Logs. (Go to IIS, select the site that you want to inspect and click ‘IIS\logging’. There you will find the physical path of the logs:
Default: ‘%SystemDrive%\inetpub\logs\LogFiles’

Go to that location and check out you will find some folders there…
The naming convention here is: W3SVC{ID of IIS Site}. So on my test machine I see:
W3SVC857252282
W3SVC1408403042

That’s because I have two started IIS sites apart from the web services site (that’s 80 default and CA).
Now you want to know which folder to check, not why these folders are there, but give me one more step.
The ID of the web site in IIS you can get from the advanced settings.

Go to IIS and go to the context menu of the IIS Site you are interested in (right-click). Then do manage site > advanced settings
The ID will be displayed in the corresponding value field for the ID key.
In my case (80 -Default) this is 1408403042. So I check out that folder and voila I have logs for this site. Now I sort those descending order by date. What I can see is something like this:


2011-12-23 07:56:13 fe80::4519:cfda:26df:cf90%11 GET /_vti_bin/spscrawl.asmx - 80 - fe80::4519:cfda:26df:cf90%11 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;+MS+Search+6.0+Robot) 401 1 2148074254 3

or

2011-12-23 07:56:13 fe80::4519:cfda:26df:cf90%11 GET /_vti_bin/spscrawl.asmx - 80 WORKGROUP\WIN-DGKR68KV601$ fe80::4519:cfda:26df:cf90%11 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;+MS+Search+6.0+Robot) 200 0 0 6

What that means is the service (asmx) file on port 80 was hit, and there has been an unauthorized exception (401.1). The second one shows a success (200) and it shows the name of the server called. So if you are working with a multi-server environment this helps to figure out who is calling whom.

Check the google for more explanation on this.

Back to the actual problem I was trying to solve…DisableLoopBackCheck.

First check this link so you understand what the issue is. Spencer is an authority on SharePoint. When I think for myself I do have to agree though. If MS intends you not to do this, then don’t.

Thanks to this you have an alternative.

All I am going to do is give screenshots below, tell you it worked for me and tell you one thing to watch out for:

Being the idiot I am, I first added the urls instead of the host names to the registry. That’s crap of course and doesn’t work.
SO DO NOT ADD HTTPS://something.domain.extension but rather ONLY something.domain.extension.

This definitely has to correspond with your DNS Setup (A-Record/ C-Name). Don’t forget to add the hosts in the hosts file as well.
The registry change didn’t even need an IISReset /noforce. The host name file did.

This is where you find the disableloopbackcheck (if it’s been configured, if not it’s not there to begin with) in the registry:
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa


DisableLoopBackCheck

This is where to go for the BackConnectionHostNames (MultiStringValue, needs to be created)
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa > MSV1_0 > “BackConnectionHostNames”

backconnectionhostnames

This is where to go for the hosts file: ‘%SystemDrive%\Windows\System32\drivers\etc\hosts’

hostnamefile

Advertisements

2 Responses to DisableLoopBackCheck Alternative (for Production)

  1. Pingback: Automation of Web Application Creation in Managed Environments (Part VII: Edit registry and host file) | SharePoint Hut

  2. vynal gloves says:

    My partner and I stumbled over here different page and thought
    I should check things out. I like what I see so now i’m following you.
    Look forward to looking over your web page again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: