“Access is denied” entries in SharePoint Search logs and authentication prompts

 

During the Spring of 2009 we were implementing several MOSS 2007 farms for one of my clients. The environment was: MOSS 2007 SP1 w/Infra Update, Windows 2008/IIS7, IE6/7 client. The index servers were dedicate web front end index servers. We were experiencing the following issues:

The issue:

While administrators were remote desktop’d (RDP’d) on any of the web front end servers, they would browse to the Shared Service Provider (SSP) administration page and get authentication prompts.

We were also experiencing the following “Access is denied” errors in the search logs:

Access is denied. verify that either the default content access account has access to this repository or add a crawl rule to crawl this repository. if the repository being  crawled is a sharepoint repository verify that the account you are using has full read permissions on the sharepoint web application being crawled. the item was deleted because it was either not found or the crawler was denied access to it.

The authentication prompts would occur when browsing to the SSP admin page served by the same web front end the administrator was RDP’d on. The “access is denied” errors would appear when indexer crawled itself as a dedicated WFE/indexer.

After doing some research, I discovered several articles on the internet that mentioned disabling loopback checking should be done for SharePoint implementations. I learned many folks implementing MOSS on Windows 2008 forget to disable loopback checking (including myself). This caused various issues including those that I experienced.

Here is another error that may occur with IIS6 and Windows 2003 with SP1 due to this setting:

HTTP 401.1 - Unauthorized: Logon Failed.

This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address. Please refer to this link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;896861

Windows 2008 has this security feature enabled be default. In fact, SP1 for Windows 2003, I understand, enables loopback checking  also.

The solution:

Disable loopback checking on your SharePoint servers. To do that, do the following:

1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.

4. Type DisableLoopbackCheck, and then press ENTER.

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor, and then restart your computer.

Additional references:

http://support.microsoft.com/kb/896861

http://www.crsw.com/mark/Lists/Posts/Post.aspx?ID=44

http://support.microsoft.com/default.aspx?scid=kb;EN-US;896861

http://www.sharingthepoint.com/Lists/Posts/Post.aspx?ID=103

http://stackoverflow.com/questions/317879/authentication-error-when-accessing-sharepoint-list-via-web-service

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/MS-SharePoint/Q_24259149.html

http://bluesurftech.com/TechBlog/Lists/Posts/Post.aspx?ID=42