SharePoint Loopback Checking

Background

Loopback checking was introduced in Windows Server 2003 Service Pack 1. The feature denies access to a web application using a Fully Qualified Domain Name (FQDN) if the attempt is from the machine which hosts the web application. The result is a 401.1 Access Denied from the web server; however this isn’t helpful considering 401.1 code means there is a problem with the user credentials. For SharePoint, specifically, this means if you browse a Web Application- using a FQDN- from a Web Front End you will get the error message.

Problem

Before loopback checking anyone who surfed to the local server could browse the FQDNs on the server. This was a huge security risk for local servers. Microsoft took feedback and decided to create the loopback checking feature. The only problem with this feature is the problems it creates within SharePoint:

  • Web Application “Warm Ups”: If you have a timer job or scheduled task on the Web Application to reduce start up time after a recycle you will get a 401 error.
  • Search Indexing: If you want to create a search crawler on the search server your crawl log is filled with 401s and you can’t index your content.

Given these problems you ABSOLUTELY want this feature enabled in the production environment. Without loopback checking anyone can expose the vulnerability of the server and surf all of the FQDNs available on the server. This poses a huge security risk, which is why the feature was created, and the main reason it is used. In the development environment the rules are a little different. Usually developers create the servers on virtual machines and then wish to surf from that server. If the developers are in a completely controlled environment where no one else can get to the server then they can disable loopback checking, but the advised method is to add a list of FQDNs which to exclude from loopback checking- so the developers don’t have a hard time accessing the web sites they need.

Conclusion

In the production environment loopback checking is a pivotal security feature. You just have to make sure you do not create a crawl front end on the search server which will cause search indexing to give 401 errors, and that you work around the problem of web application warm ups. Loopback checking, although critical in production, has a little more relaxed rules in the development environment. It is recommended the developers only exclude certain sites from loopback checking, unless they can be certain that people without permission cannot access the SharePoint server which they want to disable loopback checking on.

June 17, 2013