Security Problems when Extending a Web Application in SharePoint

Question

So, I had a site running (http://servername) and wanted to add another URL, http: newURL to get to the same content. I wanted both sites to use the same active directory domain for users/authentication.

I extended my existing web application so that the new URL would work. I configured the authentication provider for the new zone to be the same as my existing one (NTLM and Windows authentication).

The problem is that I can not log into the site via the new URL, with the above security settings. It keeps saying access denied (IIS access denied page, not SharePoint). The only way it will let me in is if I turn on basic authentication which i do not want to do...

What am I missing? I also tried to just edit the Alternate Access Mappings without extending the web application and that didnt work at all...

Answer 1

While this belongs on serverfault.com, I'll suggest an answer here and hope that this question gets moved later.

It looks like you're running into the loopback check in Windows. Essentially, Windows is blocking requests for URLs where the host name does not match the local computer name. You'll find that the request works if you connect to your SharePoint site from another machine. This is a security feature designed to prevent certain types of attacks.

See this Microsoft KB article for more details.

There are two ways to resolve this (see the KB article for details on both):

1. Disable the loopback check completely, or
2. Specify "allowed" host names

I usually opt for 1 on a development server.