Fun with MOSS Search, Part I: Service Packs and Registry Hacks
SharePoint farms can take several forms. Probably the most common one is the single-server farm (not to be confused with the "Simple Install", which is almost always a very bad idea). If you're low on hardware -- or you just don't want to shell out for an extra server OS -- you can start out with all of your services on a single box and expand later as needed.
However, there are some roadblocks that will slow you down. One of the most unexpected is the problem of crawling a SharePoint server from that same server. If you've tried this recently, you may have gotten this ugly message in your crawl logs:
Access is denied. Check that the Default Content Access Account
has access to this content, or add a crawl rule to crawl this content.
(The item was deleted because it was either not found or the crawler
was denied access to it.)
"Why is this happening?" you may ask, after checking to make sure that your default content access account does indeed have access. If everything else is in order, your problem is most likely something called "loopback checking". Apparently this is a not-so-new security feature, which prevents anyone from accessing an Integrated Authentication website while logged on to the server itself.
"No problem", you say; "How do I turn it off?"
This is where it gets weird.
The only documented way to disable -- or work around -- this feature is to hack the registry. The official KB article can be found at http://support.microsoft.com/kb/896861; however, since MS tech info has a way of disappearing over time, I've included a brief overview below.
Open Regedit and add a new Multi-String Value key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0. Name it BackConnectionHostNames; this will be "white list" for domain names that can be explored by the local server.
Once your new key is created, simply add in all of the URLs that your crawler will need to hit on this machine. Don't add protocols (http, etc); just feed it machine names and domain names as necessary.
That's all the configuration you need. The KB article tells you to restart the IISAdmin service, but I had to do a full iisreset (remember to run as Administrator) before the changes took effect.
Obviously there should be a better way to deal with this than changing registry values, but you dance with whoever brought you. Don't forget to add this to your disaster recovery plan; even the farm-level "everything" backup doesn't cover registry entries, so you'll need to keep track of it somewhere else.