SharePoint Best Practices
Try SPDocKitContact Us
  • SharePoint Best Practices Library by SPDocKit
  • Configuration
    • App Configuration
      • App Services Configured
      • Apps Configured
    • Distributed Cache
      • Appfabric Patched
      • Cache Cluster State
      • Cache Running
      • SharePoint Distributed Cache Size 2013
      • Distributed Cache Collocation Compliance
    • Security
      • Farm Account is not Local Admin
      • Office Web Apps HTTPS
    • Solutions
      • Solution Assembly Deployment Valid
    • Servers
      • Expired Certificates
      • Loopback Disabled
      • Minrole Compliance
  • Databases
    • ModelDB
      • ModelDB Files Autogrowth
      • ModelDB Files Initial Size
      • ModelDB Recovery Model
    • TempDB
      • TempDB Files
      • TempDB Files Configuration
      • TempDB Recovery Model
      • TempDB Response Times
      • TempDB Size
    • Content Database Autogrowth
    • Content Database Capacity
    • Database Files
    • Disk Allocation Size
    • Max Degree of Parallelism
    • SQL Alias
    • SQL Server Memory – SQL Server Memory Allocation Best Practices
  • Hardware Requirements
    • Free Disk Space
    • SharePoint 2013 Server and Hardware Requirements
  • Maintenance
    • Backup
      • Content Database Backups
      • Farm Backup Configured
      • Farm Backup History
    • Misc
      • Farm Accounts Used Interactively
      • PDF iFilter Installed
      • Upgrade Ready
  • Monitoring and Logging
    • Diagnostic Log Path
    • Enable Usage and Health Data Collection
    • SharePoint IIS Log Path
    • Restrict Trace Log Disk Space Usage
    • Search Index Path
    • ULS Active
    • Usage and Health Log Path
    • Verbose Logging Enabled
  • Service Applications
    • Search
      • Crawl Account Search Permission
      • Incremental Search Configuration
      • PDF Extension Added to Search Application
      • Search Content Sources
      • Search Running
    • UPA
      • My Site Configured
      • UPA Up and Running
    • Web Analytics
      • Event Collection Configured
      • Web Analytics Services Started
    • Application Proxies
    • Authentication Providers
    • Exchange Task Sync
    • Multiple Service Applications
    • Sandboxed Code Service
    • SharePoint 2013 Secure Store Service Configured
    • State Service
  • SharePoint Software Boundaries and Limits
    • SharePoint Software Boundaries and Limits Overview
    • Limits by Feature
      • Search Limits
        • Authoritative Pages
        • Content Sources
        • Crawl Components
        • Crawl Databases
        • Crawl Rules
        • Index Partitions
        • Managed Properties
        • Property Databases
        • Scope Rules Count per Search Service Application
        • Scope Rules Count per Search Scope
        • Search Topology Limits
        • Sharepoint Search Service Applications
        • Start Addresses
      • User Profile Limits
        • User Profile Count
      • Visio Services Limits
        • File Size of Visio Web Drawings – Max Web Drawing Size
        • Visio Services Cache Age
        • Visio Web Drawing Recalculation Time-out
      • Word Automation Services
        • Conversion Job Size
        • Conversion Start Frequency
    • Limits by Hierarchy
      • Content Database Limits
        • Content Database Size
        • Number of Content Databases
        • Site Collections per Content Database
      • Server Limits
        • Number of Application Pools
      • Site Collection Limits
        • Number of Site Collections
        • Site Collection Size
        • Web Site
      • Web Application Limits
        • Content Databases
        • Managed Paths
        • Number of Web Applications
        • Site Collections
  • Site Collection Health
    • Farm Features Duplicate IDs
    • Features Duplicate IDs
    • SharePoint Site Collection Upgrade – Upgrade SharePoint 2010 to 2013
    • Site Collections Duplicate IDs
    • Web Application Features Duplicate IDs
  • Updates
    • SharePoint
      • Build Revoked
      • Farm in Trial
      • Is SharePoint Up to Date
      • SharePoint 2013 Language Packs Up to Date
      • Office Web Apps Up to Date - Office Web App Servers
      • Product Supported
    • Servers
      • Sharepoint Server Upgrade Required
      • Windows Updates
      • Hotfixes per Server Role
        • Application Servers Hotfixes
        • DB Servers Hotfixes
        • Distributed Cache Servers Hotfixes
        • Failover Servers Hotfixes
        • Search Servers Hotfixes
        • WFE Servers Hotfixes
  • Web Applications
    • Caching
      • BLOB Caching Enabled
      • Object Cache User Accounts
      • Publishing Cache
    • AppPool User in Performance Log Group
    • Batch Compilation Disabled
    • Web Application in Debug Mode - Web.config Debugging How To
    • Web Application URL Check
    • Web Applications Without Sites
    • SharePoint Web.config Files Equality
Powered by GitBook
On this page
  • Issue description
  • Explanation
  • Solution
  • Additional information

Was this helpful?

  1. Configuration
  2. Servers

Loopback Disabled

Loopback Disabled best practices report by SPDocKit offers more information when the HTTP 401.1 – Unauthorized - Logon Failed occurs.

PreviousExpired CertificatesNextMinrole Compliance

Last updated 1 year ago

Was this helpful?

Issue description

When you browse a SharePoint site with a host name or Full Qualified Domain Name (FQDN) different than SharePoint server’s, you may receive the following error message:

HTTP 401.1 – Unauthorized: Logon Failed

Additionally, a message similar to the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:

Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 date: date Time: Time User: NT authorITYSYSTEM Computer: Computer_Name description: Logon Failure: Reason: An error occurred during logon User Name: User_Name Domain: Domain_Name Logon Type: 3 Logon Process: Authentication Package: NTLM Workstation Name: Computer_Name Status code: 0xC000006D Substatus code: 0x0 Caller User Name: – Caller Domain: – Caller Logon ID: – Caller Process ID: – Transited Services: – Source Network Address: IP_Address Source Port: Port_Number

You will receive this error message only if you try to browse the website directly on the server. If you browse the website from a client computer, the website works as expected. Also, in some configurations, especially in a single server farm setup, crawl operations may fail.

Explanation

SharePoint is built on top of Internet Information Services (IIS), which is a Windows Server component. Windows Server 2003 Service Pack 1 introduced a loopback security check designed to prevent reflection attacks on the server. If the FQDN or the custom host header of the SharePoint web application does not match the local computer name, authentication will fail.

Solution

You have to disable the loopback check in order for SharePoint to work properly. There are two methods to disable the loopback check:

Method 1:

The following script retrieves the loopback check configuration:

param()

function Get-RegistryValue ([string]$path,[string]$valueName)
{
    return (Get-ItemProperty -Path $path -Name $valueName -ErrorAction SilentlyContinue)
}

function Get-LoopbackCheck
{
    Write-Host "Checking method #1 - DisableLoopbackCheck" -ForegroundColor Green
    Write-Host "Reading loopback check configuration... " -ForegroundColor Yellow -NoNewLine

    $dlValue = (Get-RegistryValue "HKLM:SystemCurrentControlSetControlLsa" "DisableLoopbackCheck").DisableLoopbackCheck
    if ($dlValue -eq 1)
    {
        Write-Host "Enabled" -ForegroundColor Green
    }
    else
    {
        Write-Host "Disabled" -ForegroundColor Red
    }
    Write-Host ""
}

function Get-LoopbackCheckForHostNames
{
    Write-Host "Checking method #2 - SpecifyHostNames" -ForegroundColor Green
    Write-Host "Reading loopback check configuration (DisableStrictNameChecking)... " -ForegroundColor Yellow -NoNewLine

    $dlValue = (Get-RegistryValue "HKLM:SystemCurrentControlSetServicesLanmanServerParameters" "DisableStrictNameChecking").DisableStrictNameChecking
    if ($dlValue -eq 1)
    {
        Write-Host "Enabled" -ForegroundColor Green
    }
    else
    {
        Write-Host "Disabled" -ForegroundColor Red
    }

    Write-Host "Reading loopback check configuration (BackConnectionHostNames)... " -ForegroundColor Yellow -NoNewLine
    $registeredURLs = (Get-RegistryValue "HKLM:SystemCurrentControlSetControlLsaMSV1_0" "BackConnectionHostNames").BackConnectionHostNames
    if ([string]::IsNullOrEmpty($registeredURLs))
    {
        Write-Host "Not present" -ForegroundColor Red
    }
    else
    {
        Write-Host "Enabled" -ForegroundColor Green
    }
    Write-Host ""
}

The following script manages the loopback check configuration:

param(
    [Parameter(Mandatory=$true)]
    [ValidateSet("DisableLoopbackCheck","SpecifyHostNames","Enable")]
    [string]$Action
)

function Get-SPWebAppHostNames()
{
    $spWebApps = Get-SPWebApplication
    $urlList = @()
    foreach ($spWebApp in $spWebApps)
    {
        foreach ($url in $spWebApp.AlternateUrls)
        {
            if ($urlList.IndexOf(([System.Uri]$url.IncomingUrl).Host) -eq -1)
            {
                $urlList += ([System.Uri]$url.IncomingUrl).Host
            }
            if ($urlList.IndexOf(([System.Uri]$url.PublicUrl).Host) -eq -1)
            {
                $urlList += ([System.Uri]$url.PublicUrl).Host
            }              
        }
    }
    return $urlList
}

function Get-RegistryValue ([string]$path,[string]$valueName)
{
    return (Get-ItemProperty -Path $path -Name $valueName -ErrorAction SilentlyContinue)
}

function Set-RegistryValueDword([string]$path,[string]$valueName,[uint32]$value)
{
    $loopbackCheck = (Get-ItemProperty -Path $path -Name $valueName -ErrorAction SilentlyContinue)

    if ($loopbackCheck -eq $null)
    {
        $loopbackCheck = New-ItemProperty -Path $path -Name $valueName -PropertyType DWord -Value $value -ErrorAction SilentlyContinue
    }
    else
    {
        $loopbackCheck = Set-ItemProperty -Path $path -Name $valueName -Value $value -ErrorAction SilentlyContinue -PassThru
    }
}

function Set-RegistryValueMultiString([string]$path,[string]$valueName,$value)
{
    $itemProperty = (Get-ItemProperty -Path $path -Name $valueName -ErrorAction SilentlyContinue)

    if ($itemProperty -eq $null)
    {
        $itemProperty = New-ItemProperty -Path $path -Name $valueName -PropertyType MultiString -Value $value -ErrorAction SilentlyContinue
    }
    else
    {
        $itemProperty = Set-ItemProperty -Path $path -Name $valueName -Value $value -ErrorAction SilentlyContinue -PassThru
    }
}

function Restart-IISAdminService()
{
    $title = "Restart IISADMIN service"
    $message = "To apply the changes, we need to restart the IISADMIN service. This can impact the service availability. Do you want to continue?"

    $yes = New-Object System.Management.Automation.Host.Choicedescription "&Yes", `
        "Restarts the IISADMIN service."

    $no = New-Object System.Management.Automation.Host.Choicedescription "&No", `
        "Exits without restarting the IISADMIN service. You will have to restart the service manually."

    $options = [System.Management.Automation.Host.Choicedescription[]]($yes, $no)

    $result = $host.ui.PromptForChoice($title, $message, $options, 0) 

    switch ($result)
    {
        0 { Restart-Service IISADMIN }
        1 { }
    }
}

function Disable-LoopbackCheck([bool]$lcDisable)
{
    $value = [int]$lcDisable
    if ($lcDisable)
    {
        $edString = "Disabling"
    }
    else
    {
        $edString = "Enabling"
    }

    Write-Host "$edString loopback check..." -ForegroundColor Green

    Set-RegistryValueDword "HKLM:SystemCurrentControlSetControlLsa" "DisableLoopbackCheck" $value

    Write-Host "Please restart server to apply changes." -ForegroundColor Red
}

function Disable-LoopbackCheckForHostNames([bool]$lcDisable)
{
    Write-Host "Selectively disabling loopback check by host names is not implemented yet. " -ForegroundColor Yellow 
    $value = [int]$lcDisable
    if ($lcDisable)
    {
        $edString = "Disabling"
    }
    else
    {
        $edString = "Enabling"
    }

    Write-Host "$edString loopback check (set host names method)..." -ForegroundColor Green

    Set-RegistryValueDword "HKLM:SystemCurrentControlSetServicesLanmanServerParameters" "DisableStrictNameChecking" $value
    if ($lcDisable)
    {
        $registeredURLs = (Get-RegistryValue "HKLM:SystemCurrentControlSetControlLsaMSV1_0" "BackConnectionHostNames").BackConnectionHostNames
        if ([string]::IsNullOrEmpty($registeredURLs))
        {
            $registeredURLs = @()
        }
        $spUrls = Get-SPWebAppHostNames
        foreach ($spUrl in $spUrls)
        {
            $spUrl = $spUrl.Trim()
            if ($spUrl -ne "")
            {
                if ($registeredURLs.IndexOf($spUrl) -eq -1)
                {
                    $registeredURLs += $spUrl
                }
            }
        }
        Set-RegistryValueMultiString "HKLM:SystemCurrentControlSetControlLsaMSV1_0" "BackConnectionHostNames" $registeredURLs
        Write-Host "If you configured SharePoint for use with Kerberos, you may need to register the following SPNs:" -ForegroundColor Yellow
        foreach ($url in $spUrls)
        {
            Write-Host "HTTP/$url" -ForegroundColor Yellow
        }

        # Check if DisableLoopbackCheck is set and remove the setting
        if ((Get-RegistryValue "HKLM:SystemCurrentControlSetControlLsa" "DisableLoopbackCheck").DisableLoopbackCheck -eq 1)
        {
            Write-Host "Detected DisableLoopbackCheck. Deactivating..." -ForegroundColor Green
            Disable-LoopbackCheck $false
        }
    }
    else
    {
        Set-RegistryValueMultiString "HKLM:SystemCurrentControlSetControlLsaMSV1_0" "BackConnectionHostNames" @()
    }

    Restart-IISAdminService
}


### Main
switch ($Action)
{
    "Enable"                    { Disable-LoopbackCheck $false; Disable-LoopbackCheckForHostNames $false }
    "DisableLoopbackCheck"      { Disable-LoopbackCheck $true }
    "SpecifyHostNames"          { Disable-LoopbackCheckForHostNames $true}
}

Additional information

Additional information can be found in the following articles:

Method 2:

Disable loopback check completely
DisableLoopbackCheck & SharePoint: What every admin and developer should know
Specify host names
2KB
set-bploopbackcheckconfig.zip
archive
1KB
get-bploopbackcheckconfig.zip
archive
Download SPDocKit