Have you ever tried to access a perfectly good SharePoint site using the browser on the SharePoint server itself, only to encounter a completely blank page? I have, and it is no fun, let me tell you. While this can be considered a by design behaviour, and is intended to improve security, there are times when a SharePoint admin needs to view a SharePoint site, while on the SharePoint server. This article should help you fix this.
The complaint
You have a Windows 2008 server running MOSS. You have configured a number of SharePoint sites, all of which are configured to use the default ip.addr and port 80. You set up host headers so this would work. From a workstation, you can access the various sites without issue, but if you are on the console (or RDP) of your Windows 2008 server running MOSS 2007, it fails. You launch IE and try to access one of your SharePoint sites (not Central Admin.) It prompts you for authentication several times in a row, and the finally displays a blank page.
The Symptoms
After several attempts to authenticate, a blank page is displayed in IE.
IIS logs show 401 2 5 errors.
Security log shows Source Microsoft Windows security, Event ID 4625, Task category Logon. The subject shows as a NULL SID, but if you scroll down you’ll see the domain account that you used.
The Cause
You’re trying to connect to yourself, and this functionality was turned off in Windows 2003 SP1 and later to reduce the vulnerability to Denial of Service and Man In the Middle Attacks, particularly against NTLM authentication. While it would be better (security-wise) to leave this alone, and only access your sites from another machine, the reality is that may not be practical. As long as you understand that you are reducing security in the name of convenience, here is how to make this work for you. Please only do this for your development environment. For your production system, deal with this restriction and use a second machine when you need to view sites.
The Cure
We need to enable something called BackConnectionHostNames on our server, for each FQDN that we need to use. This will require a reboot, so be prepared, get approval, turn off Nagios, etc. if this is a production box.
- Click Start, click Run, type regedit, and then click OK.
- Browse down to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Name the new value BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK. You will need to add each FQDN, one line at a time (hit ENTER after each.)
- Close regedit, and then reboot.
- Log on, launch IE, and you should now be full of win.
It’s not often I can find a video to close a post that has a perfect title, but this Smashing Pumpkins song is melodic, mellow, and you can’t beat the title for relevance to this post. Enjoy!
If this solved your boggle, please leave me a comment and let me know.
You might also enjoy:
{ 1 comment… read it below or add one }
This fixed me right up, thanks! Where can I download “Retrohack’s Greatest Hits?” Love the Smashing Pumpkins!