Archive for September, 2010

SharePoint 2010 – Configuring Loopback Security and AAM

Wednesday, September 1st, 2010

SharePoint 2010 incorporates many of the security features found on the Server 2008 R2 platform. While this keeps security holes tight it raises the amount of user awareness needed to properly configure some of the default security issues that arise in SharePoint.

In particular, LSA Loopback security has been one of the number one reasons users cannot initiate the search server correctly throughout the farm. The Loopback check was introduced back in Windows Server 2003 SP1 as a means to prevent unauthorized access through unrecognized domains or DNS paths. To prevent hackers from using false DNS and CNAMEs to access sites LSA Loopback watches and blocks any unauthorized DNS access. Especially in a deployment environment and not a production environment, many new users have disabled the Loopback check all together which has restored their search services. To remedy the situation properly though and maintain security, it is advised to follow the followng procedure to add your domain to a trusted list to enable search and keep this security feature in place:

Navigate to REGEDIT and access the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0
Right click the key and add a new Multi String value. Set its name to BackConnectionHostNames and set the value to the DNS or CNAME you want to successfully authenticate.

LSA Loopback authentication in REGEDIT

Once you have added these values correctly LSA will properly authenticate your DNS name and search will begin functioning. But we aren’t in the clear yet. Alternate Access Mappings or AAM is a feature found in SharePoint and IIS that configures alternate routes for accessing your SharePoint server. By configuring AAM you can define what names are from the Internet, Extranet, Intranet, Trusted Zones etc. To do so, navigate to SharePoint 2010 Central Administration, select System Settings, and choose configure Alternate Acccess Mappings. Here you can select your collection and create zones for different addresses .

Alternate Access Mappings menu

Now you have properly configured accessing SharePoint from different addresses and you should stop recieving event viewer messages informing you of these issues.  Now if only Microsoft did a better job of documenting these things in the Health analyzer so many users wouldn’t be stranded, but one step at a time right?


Computer Limbo