Friday, December 5, 2008

.Net Framework 3.5 SP1 and SharePoint Search/InfoPath/Etc.

Recently, I installed .NET framework 3.5 SP1 onto my production SharePoint WFE after thoroughly testing a new AJAX based field control I had developed.  In my staging and development environments, I encountered no issues with the framework itself, however, once I installed on production, a couple issues arose:

  • Administrator approved InfoPath forms with custom code were causing errors (no indication of what the error was)
  • Search Service was failing to crawl content with the error "Access Denied."
After some Googling, I came across a MS KB article , and an MSDN blog both referring to a security feature in IIS 6 called "loopback check."  This feature was added (also present in IIS 5.1) to prevent reflection attacks on the server.  Please see the blog entry by jiruss for more information on this feature.

Of the two workarounds listed, either disabling the loopback check, or modifying the host names specified in the registry, I believe modifying the host names to be the best solution.  I agree with jiruss in that completely disabling the loopback check increases the attack surface area of your system, and should be avoided.

The actual modifications I made were to add the URL/host headers/AAM mappings for my various sites (main portal and mysites were the only two that did not use the machine name in AAM) to a newly created "Multi-String Value" registry key called BackConnectionHostNames (each entry on a separate line) at the registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Hope this helps any people experiencing "Access Denied" related issues after installing .NET framework 3.5 SP1.

Enjoy!
--andrew

No comments:

Post a Comment