SharePoint–Disable LoopBack Check

A while ago Microsoft released a “fix” that caused issues with NTLM authentication issues when you try to access a server locally.  This is because Microsoft has created a new security feature called the loopback check and by default the value of the DisableLoopbackCeck registry value is set to 0.  Most of the posts I’ve read will say to set the value to 1 with the standard “but Microsoft does not recommend this for production”. 

The registry value you need to change is located here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

LSA stands for the “Local Security Authority”.  Rather thank just disabling the loopback, you can run the following method to get rid of the annoying pop-up when locally accessing the resources from the server:

Method 1 : Create the Local Security Authority host names that can be referenced in an NTLM authentication request

To do this, follow these steps for all the nodes on the client computer:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. In the Name column, type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
    Note Type each host name on a separate line.
    Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.
  7. Exit Registry Editor, and then restart the computer.

However, if you want to kill the fly with a sledgehammer and don’t want to have to deal with iterating through/typing all of the BackConnectionHostNames, there’s always the tried and true method of just turning the darn thing off:

Method 2: Disable the authentication loopback check

Re-enable the behavior by setting the DisableLoopbackCheck registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click Lsa, point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.
  8. Restart the computer.

Method 3: Disable the authentication loopback check with PowerShell

  1. Open a Powershell console and enter the following:
    New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -Value "1" –PropertyType dword
  2. Restart the computer.

However, realize that this is a bad idea on production systems because the NTLM reflection protection is part of a fix for the SMB vulnerability.  This problem occurs because of the way that NT LAN Manager (NTLM) treats different naming conventions as remote entities instead of as local entities. A local authentication failure might occur when the client calculates and caches the correct response to the NTLM challenge that is sent by the server in local "lsass" memory before the response is sent back to the server. When the server code for NTLM finds the received response in the local "lsass" cache, the code does not honor the authentication request and treats it as a replay attack. This behavior leads to a local authentication failure.  Disabling NTLM reflection protection on an affected system will return the system to a vulnerable state for the particular SPN for which the reflection protection was disabled.

Remember: If you turn off the loopback check you are leaving your server or SPN open to a replay attack and could allow remote code execution.

6 thoughts on “SharePoint–Disable LoopBack Check”

  1. I can’t believe no one else has not thanked you, especially as much as I’d like too, for providing an article on this topic with such a short, concise and on-target explanation, in addition to solution examples and warnings.

  2. Thank you very much for the great info.
    I tried the first method but it didn’t work 🙁
    I suspect that i wrote the wrong format in the key BackConnectionHostNames

    I can access the site using it’s defined name on the DNS which is mysite
    from another machine but not from the local machine

    So what format should i write on the key value? should i write http://mysite/ or just mysite?

Leave a Reply