什么是loopback check?

Loopback check security feature是在Microsoft Windows Server 2003 Service Pack 1 (SP1)中新加入的. 它的目的是在你的计算机上阻止reflection攻击. 所以, 如果使用FQDN或者自定义的跟计算机名字不匹配的host header的来访问计算机本机的时候, authentication会失败.

如何关掉loopback check?

1. Set the DisableStrictNameChecking registry entry to 1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

 

2011-10-26 更新

我的同事Shuo遇到了一个非常奇怪的症状, 管理中心站点里Manage services on server这个链接不见了. 从症状上看, 明显是被security trim掉了.

经检查, Farm admin, local admin, site collection admin, 权限全都有.

最后, Shuo把这个问题解决了. 方法居然是上面的关掉loopback check.

loopback check引起问题我们是见过的, 无非是站点在自己的机器上打不开. 这个问题的解决很出乎意料, 故记录在这里.

 

摘译自:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

http://support.microsoft.com/kb/896861

Loop Back Check

http://www.cnblogs.com/awpatp/archive/2010/06/01/1748994.html

DisableLoopbackCheck & SharePoint: What every admin and developer should know

http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx