DisableLoopbackCheck – Unauthorized (401.1) Exception calling Web Services in SharePoint

Published on 10/14/2008

After upgrading to .NET Framework 3.5 Service Pack 1 on my SharePoint web servers I began to get the following Unauthorized exception.

Type: WebException, Exception Message: The request failed with HTTP status 401: Unauthorized.

This error really has nothing to do with SharePoint, and is really just an IIS web services related item.  This problem is due to an added bit of security included in the .NET Framework 3.5 Service Pack 1.  Here is the Microsoft KB article explaining the issue and how to work around the problem.  This Microsoft article refers to the problem coming after applying other service packs for Windows XP and Server 2003, but .NET Framework 3.5 Service Pack 1 is also now using this same bit of added security – the loopback check.

You will likely not encounter this problem on a single web server configuration and if you are using the server name to access the web site.

However, most enterprise SharePoint farms consist of at least two web servers that are load balanced.  This is where the problem exists.

Likely Cause:

  • You are calling your web services from your web servers using the load-balanced URL, not the server name.

This isn’t a bug.  There was a security fix built into the Windows networking stack that prevents a machine name that resolves to the loopback address from accepting a connection unless that machine name matches the NETBIOS name.

One option is to use the server name instead of the load balanced IP.  This should remedy the problem.  However, the standard method to apply configuration changes across a SharePoint farm is via SharePoint solution files.  This usually requires the configuration entries to be the same across all the web servers in the SharePoint farm, and using the load balanced URL is likely the most appropriate.

Suggested configuration changes to resolve this:

  • Add the DisableLoopbackCheck registry entry discussed in this Microsoft KB article.  Note: you will need to reboot your server before the DisableLoopbackCheck takes effect.
  • Be sure to add your load balanced host name for your web farm to the Hosts file on each front end web server.  Use the loop-back IP address (127.0.0.1).  This will ensure that each web server looks at itself to access the web services preventing any trips back out to the load-balancer – and possibly calling the web service another web server in the farm.  This will be much less efficient.
    • If this problem appeared to be inconsistent (sometimes erroring, sometime successful), this is most likely due having multiple web servers.  The call to the web service will be successful if by chance the load balance redirected the call to the same (self) web server to access the web service.  It will fail when trying to call across to a different web server.

References:

Advertisements

2 thoughts on “DisableLoopbackCheck – Unauthorized (401.1) Exception calling Web Services in SharePoint

  1. (Migrated Comments from my old blog)

    Thanks!

    Wow thanks for this information I just spent 5 hours digging through all the detail.
    at 10/23/2008 3:12 PM
    Thanks!!!!

    WOW!!! Thank you soo much Mark
    at 11/8/2008 8:39 PM
    Thank you so much!!!

    This saved me a lot of time. I spend that last couple of hours trying to figure out what was causing this issue.

    Marc
    at 11/19/2008 2:41 PM
    Thank you so much!!!

    This saved me a lot of time. I spend that last couple of hours trying to figure out what was causing this issue.

    Marc
    at 11/19/2008 2:41 PM
    Have this problem

    Mark,

    We have this problem on our cluster. But we tried the fix and it didn’t work. When you say “Be sure to add your load balanced host name for your web farm to the Hosts file on each front end web server” are you saying the Load balanced FQDN or the NETBIOS name of each server or some other setting we are missing.

    Thanx
    Frank
    at 12/15/2008 3:33 PM
    Re: Have this problem

    Either the FQDN or the NETBIOS name can be added, or both. The name you enter into the HOST file should be whatever name is used when calling your web service.
    Mark at 12/23/2008 10:01 PM
    What if i remove .NET Framework 3.5 SP1

    First of all i would really thankfull to you.

    I already resolved this issue microsoft knowledge base article suggested by you.

    The next thing i would to ask you is , what happen if i remove framework 3.5 sp1 ? After removing framework my problem still persists or not.

    at 2/20/2009 3:25 AM
    Re: What if i remove .NET Framework 3.5 SP1

    If you remove .Net Framework 3.5 SP1, the problem should also go away – but I’m not certain and have not tested this.
    Mark Wagner at 4/21/2009 7:58 AM
    Thank you!!

    We love windows updates, but not when it messes up our current configuration!!
    Thanks for the link!
    at 4/22/2009 4:48 PM
    Thanks a Lot

    Thanks a lot for sharing such a useful information.

    I am happy with the solution, as I was trying to resolve this (401) Unauthorized error for many days.

    But still… please let me know if there is any other solution also.

    Will implementation of DisableLoopbackCheck effect other functionalities in sharepoint or is it safe to implement it?
    at 6/11/2009 4:43 AM
    Tanks

    Tanks a lot
    Merci beaucoup.
    at 6/20/2009 5:33 PM
    Tanks

    Tanks a lot
    Merci beaucoup.
    at 6/20/2009 5:58 PM
    Re: Unauthorized (401.1) Exception calling Web Services in SharePoint

    Marc,
    Thank you so much for the info….I do have a question as to the server. Which server do I make the registry change? I have two servers that are just sharepoint web application, and the third one is the central admin. The db is on a separate server. Do I make the change on all three servers or just the third one? I’m new to sharepoint and trying to figure my way around. Thanks in advance for your help.
    at 8/28/2009 10:11 AM
    Whcih server do I make the registry change?

    You will need to make this registry change on each web front end (WFE) server, specifically the WFEs that are load balanced. You will likely not need to do this on your Central Admin server since it is its own server, however, that should not matter if you added it there as well.
    Mark Wagner at 9/2/2009 10:45 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s