Local SharePoint on Server 2008 Development

Sometimes I'm such an idiot I wonder how I get enough neurons firing in the morning to get out of bed. I've built a million virtual setups for SharePoint development (and a million really isn't an exaggeration, at least that's how I feel). They're all the same. Install this, configure that, lather, rinse, repeat.

Setting up a new VM today and for the life of me I couldn't get logged into the site no matter what account I used. You know that challenge/respose dialog you get and you just keep entering your domain\userid hoping to get in? When I setup a new VM I generally create a bunch of host names (trying to remember port numbers is for the birds) so either using the HOSTS file or using A records in DNS (if you're running it on a domain controller, which is what I was doing). These are simple names to remember like "sharepoint", "portal", "sandbox" and more specialized ones (for example I have a new one called "techdays2009" which is a web app just for doing my TechDays demos).

Like I said, I've done this untold numbers of times before and it's routine. However something always seems to trip me up. Trying to access any of the new sites didn't work. At. All. Of course there are no error messages, event logs are empty, and SharePoint basically says everything is normal. Thanks. That's a lot of help. Luckily I tried to create a new site using the server name and port number (think it was a DNS problem) and I could access the site. So I tried pinging the machine name vs. the host names and would get results (although the host name returned IPv6 results even though I have it disabled while host header names would return IPv4 results).

All of this was a wild goose chase.

Here's the problem. If you do this on Server 2003 it works fine. On Server 2008 Microsoft introduced a nice new "feature" to protect local loopback attacks. However this "feature" also creates a problem and doesn't let you use host headers in IIS web sites on local machines. There's a detailed description of the issue here but I only found that by searching for "sharepoint" and "disableloopbackcheck".

The problem also isn't very intuitive to find because the KB article is entitled "401.1 Error .. on IIS 5.1 or 6". In my case, I'm running on IIS 7 so this KB would probably never show up when looking for this problem. Oh yeah, and there was no 401.1 error (or any error for that matter).

In any case, the simple fix is to disable the check. The other option listed in the KB article is to specify host names. This works but is a PITA. So everytime you want to add a new site (say http://mysite) you have to do a registry edit? No thanks. Microsoft also doesn't recommend that you do this on production, but this is another piece of mis-information. You would never need this on production because we're only trying to access the site via host headers from the machine itself.

So bottom line is that if you have Server 2008 and want to use host headers with local development, do this:

  • Click Start, click Run, type regedit, and then click OK.
  • In Registry Editor, locate and then click the following registry key:
  • Right-click Lsa, point to New, and then click DWORD Value.
  • Type DisableLoopbackCheck, and then press ENTER.
  • Right-click DisableLoopbackCheck, and then click Modify.
  • In the Value data box, type 1, and then click OK.
  • Quit Registry Editor, and then restart your computer.

Then you'll be able to access your sites on the server using host names.


  • Actually, I seem to recall I did encounter a scenario whereby I needed to do this in production. In our production environment we have a single MOSS server, and this was required in order to permit the search crawler to index our separate web applications from the localhost.

  • This loopback check has been present in windows server since the 2003 version (I want to say SP1).

  • Actually, repeatedly seeing the credentials box is EXACTLY the 401.x error, in this case 401.1. Use fiddler, netmon or wireshark before you say there's no HTTP error.

    And for that matter, if regedit is a PITA, why not prepare a simple .reg file to easily fix this later on, even in a scriptable manner?

  • You are not alone..even after 1000 installations, I also feel the same. Each situation gives its own set of parameters.

  • Dsva4J I want to say - thank you for this!

Comments have been disabled for this content.