SharePoint 2013 - Disable Loopback Check

You might encounter a very frequent problem when you are using FQDN or Custom Host Headers to access a SharePoint site locally from the Server, where it is hosted and running on IIS 5.1 or later and gets its  prompt for the credentials in the pop up Window.

Though this is very frustrating it's a necessary evil that was introduced earlier with Microsoft Windows Server 2003 Service Pack 1 (SP1) and it is still present. This feature was designed to help to prevent reflection attacks on the computer.

Reflection attack

“In computer security, a reflection attack is a method of attacking a challenge-response authentication system, which uses the same protocol in both the directions i.e. the same challenge-response protocol is used by each side to authenticate the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge.

The general attack outline is shown below.

  1. The attacker initiates a connection to a target.
  2. The target attempts to authenticate the attacker by sending it a challenge.
  3. The attacker opens another connection to the target and sends the target for this challenge as its own.
  4. The target responds to the challenge.
  5. The attacker sends that response back to the target on the original connection.

Source - https://en.wikipedia.org/wiki/Reflection_attack

Steps to fix this issue on development & non-production environment

Using Registry Editor

Step 1

Use Windows icon + R to launch a Run menu.

Step 2

Type the command REGEDIT

1

Step 3

Expand node “Computer -> HKEY_LOCAL_MACHINE -> CurrentControlSet -> Control”.

2

Step 4

Locate key by the name Lsa, as shown below.

3

Step 5

Add a new DWORD entry.

  • Select Lsa key.
  • On the right hand side panel, create a new DWORD entry, as shown below.

4

  • Enter “DisableLoopbackCheck” in Value Name field.
  • Enter “1” in Value Date Field.
  • Select “Hexadecimal” radio button.

    5
  • Click OK to save DWORD.

    6

Using PowerShell script

We can cut short the steps given above by creating a DWORD entry, using PowerShell.

If we see the Registry Key Lsa, we found that DisableLoopbackCheck DWORD is not present.

7

Run PowerShell command given below.

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name “DisableLoopbackCheck” -value “1” -PropertyType dword

8

Once the command executes successfully, you can select DisableLoopbackCheck DWORD created successfully.

9

This is a simple fix to quite a frustrating issue; which we encountered so frequently during the Web development.

Hope, you found it helpful.