Skip to main content

SharePoint 2013 Keeps Prompting For Credentials (DisableLoopbackCheck - BackConnectionHostNames - Logon Failure 401.1 - Access Denied )

Problem:

When you access a SharePoint site collection, it keeps on prompting for authentication and eventually give you an Access Denied error.


Reason:

This is a feature that prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a logon failure in the event log.


Solution:

There are 2 ways to solve this, (1) the correct way and (2) the fast and easy way.

1 - The correct way (test/production servers)
Specify the host names that needs to do loop back check in the registry – BackConnectionHostNames. This is the correct way and is more secure. http://support.microsoft.com/kb/896861
 - Open regedit.exe
 - Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
 - Create a new multi-string value and name it "BackConnectionHostNames"
 - Type the host name of site that are referencing on the local server 
   (multiple host names must be separated by a newline)
 - Click OK and close regedit
 - You should no longer get the 401.1 Access Denied message (you may also need to restart the IISAdmin service)

1 - The easy way (development servers)
Disable the loopback check (DisableLoopbackCheck) altogether. This puts your server in a security risk. http://support.microsoft.com/kb/896861
 - Open regedit.exe
 - Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
 - Create a new d-word (32-bit) and name it "DisableLoopbackCheck"
 - Edit the d-word and give it a value of 1
 - Click OK and close regedit
 - You should no longer get the 401.1 Access Denied message (you may also need to restart the IISAdmin service)



Additional info:

The event view might also give the following error.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

Comments

Popular posts from this blog

Sharepoint 2013 - Fullscreen mode/hide quick launch

If you want to hide the quick launch on a SharePoint page or web part page in 2013 you could of cause use CSS scripts as in 2010.
But as a new thing in 2013 the user have the possibility to click on full screen mode. so why not load your page in this mode and then the user can choose to exit the mode if he prefers.

Add a content editor webpart to your page and click on Edit HTML from the ribbon.
Add the following code:

<script type="text/javascript">
window.onload = function()
{
  SetFullScreenMode(true);
}
</script>

Install DLL in GAC - Windows 2008/2012 (Using Powershell, No GacUtil.exe)

If you want to install a DLL in the GAC and do not have the GACUtil.exe available. Powershell is properly the easiest way to procede.

Before Powershell you would properly just drag the DLL file into the C:\Windows\Assembly but this option is usually not available anymore.

Powershell - Add DLL to GAC So to install a DLL file in the GAC simply execute the below Powershell script. Remember you migth want to run the Powershell prompt as an administrator.
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")$publish=New-ObjectSystem.EnterpriseServices.Internal.Publish$publish.GacInstall("c:\temp\MyDllFile.dll")iisreset
The first line adds a reference to the assembly we need to be able to mange the GAC.
The second and third lines retrives the GAC object and publish a new DLL file to it.
The last line resets the Internet Information Services. This is only needed if your DLL file is used in a websi…

SharePoint/Project Server - Firewall port open list

Firewall port open list Every time I have to install a new instance of Project Server I forget which ports have to be open.
The ports are divided into 3 lists, one list for the web front end servers, one list for the application server and one list for the SQL server.
These ports are based on a 2013 installation of SharePoint/Project Server. the 2010 installation defer a little bit.


Web Frontend ServerWhen a range is specified all ports between the range must be opened.
     Port(s)ProtocolBoundDescription
-80 TCPInhttp
-443 TCPInhttps/ssl
-25 TCPInSMTP for e-mail integration
-16500-16519TCPInPorts used by the search index component
-22233-22236TCPIn/OutPorts required for the AppFabric Caching Service
-32843-32845TCPInCommunication between Web servers and service applications
-32846TCPIn/OutSharePoint User Code Service
-808-809TCPInOffice Web Apps
-5725TCP