DisableLoopbackCheck – Unauthorized (401.1) Exception calling Web Services in SharePoint

Published on 10/14/2008

After upgrading to .NET Framework 3.5 Service Pack 1 on my SharePoint web servers I began to get the following Unauthorized exception.

Type: WebException, Exception Message: The request failed with HTTP status 401: Unauthorized.

This error really has nothing to do with SharePoint, and is really just an IIS web services related item.  This problem is due to an added bit of security included in the .NET Framework 3.5 Service Pack 1.  Here is the Microsoft KB article explaining the issue and how to work around the problem.  This Microsoft article refers to the problem coming after applying other service packs for Windows XP and Server 2003, but .NET Framework 3.5 Service Pack 1 is also now using this same bit of added security – the loopback check.

You will likely not encounter this problem on a single web server configuration and if you are using the server name to access the web site.

However, most enterprise SharePoint farms consist of at least two web servers that are load balanced.  This is where the problem exists.

Likely Cause:

  • You are calling your web services from your web servers using the load-balanced URL, not the server name.

This isn’t a bug.  There was a security fix built into the Windows networking stack that prevents a machine name that resolves to the loopback address from accepting a connection unless that machine name matches the NETBIOS name.

One option is to use the server name instead of the load balanced IP.  This should remedy the problem.  However, the standard method to apply configuration changes across a SharePoint farm is via SharePoint solution files.  This usually requires the configuration entries to be the same across all the web servers in the SharePoint farm, and using the load balanced URL is likely the most appropriate.

Suggested configuration changes to resolve this:

  • Add the DisableLoopbackCheck registry entry discussed in this Microsoft KB article.  Note: you will need to reboot your server before the DisableLoopbackCheck takes effect.
  • Be sure to add your load balanced host name for your web farm to the Hosts file on each front end web server.  Use the loop-back IP address (127.0.0.1).  This will ensure that each web server looks at itself to access the web services preventing any trips back out to the load-balancer – and possibly calling the web service another web server in the farm.  This will be much less efficient.
    • If this problem appeared to be inconsistent (sometimes erroring, sometime successful), this is most likely due having multiple web servers.  The call to the web service will be successful if by chance the load balance redirected the call to the same (self) web server to access the web service.  It will fail when trying to call across to a different web server.

References:

Advertisements

JavaScript Object Browser Sample

Note: This is a repost from my old blog:
http://blogs.crsw.com/mark/articles/652.aspx

Below is a small JavaScript application that allows you to browse through various objects on the DOM as well as JavaScript variables.  I wrote this in an attempt to better understand the differences between various web browsers, specifically Internet Explorer, Netscape, and Firefox.

Downloads:

– You can download my sample.

Demo:

Click here to view the demo page. (no longer active)

You will find a top level window object with all its immediate children located blow.  Links are available on child objects where appropriate.  This is 100% driven by looking at each object property generically, meaning, nothing is hard-coded.  This allows any of your custom JavaScript variables (in a Netscape browser its even better) to be viewed.

Areas I found of particular interest:

  • the windows.document node of the tree.
  • functions will appear with a function link.  Clicking on this link will reveal the JavaScript for that function.  My demo below will show the javascript by drilling into (clicking) on the window.document.onreadystatechange node.
  • the window.top.document.scripts link will list all the script tags, and the associated script if the actual script is embedded within the document.

I hope to improve and use this when debugging scripts.  Again, by adding two small links to javascript (via script tags) this becomes available on any page I like.

 

These javascript files are available for download (above) so that you can reference these files on your own server.

Below is a link to the demo, but FIRST, the remember to look at the root window node in the tree.  This will expand to show the context of the child items in the tree view.  For example, if you click on the document node, the root node will change from window to window.document, and the child nodes will change to reflect the child objects for the document node.  Additionally, the window portion of the root node can be clicked to return to the root window context.