After upgrading to .NET Framework 3.5 Service Pack 1 on my SharePoint web servers you may get the following Unauthorized exception.

Type: WebException, Exception Message: The request failed with HTTP status 401: Unauthorized.

This error really has nothing to do with SharePoint, and is really just an IIS web services related item.  This problem is due to an added bit of security included in the .NET Framework 3.5 Service Pack 1.  Here is the Microsoft KB article explaining the issue and how to work around the problem.  This Microsoft article refers to the problem coming after applying other service packs for Windows XP and Server 2003, but .NET Framework 3.5 Service Pack 1 is also now using this same bit of added security – the loopback check.

You will likely not encounter this problem on a single web server configuration and if you are using the server name to access the web site.

However, most enterprise SharePoint farms consist of at least two web servers that are load balanced.  This is where the problem exists.

Likely Cause:

  • You are calling your web services from your web servers using the load-balanced URL, not the server name.

This isn’t a bug.  There was a security fix built into the Windows networking stack that prevents a machine name that resolves to the loopback address from accepting a connection unless that machine name matches the NETBIOS name.

One option is to use the server name instead of the load balanced IP.  This should remedy the problem.  However, the standard method to apply configuration changes across a SharePoint farm is via SharePoint solution files.  This usually requires the configuration entries to be the same across all the web servers in the SharePoint farm, and using the load balanced URL is likely the most appropriate.

Suggested configuration changes to resolve this:

  • Add the DisableLoopbackCheck registry entry discussed in this Microsoft KB article.  Note: you will need to reboot your server before the DisableLoopbackCheck takes effect.
  • Be sure to add your load balanced host name for your web farm to the Hosts file on each front end web server.  Use the loop-back IP address (127.0.0.1).  This will ensure that each web server looks at itself to access the web services preventing any trips back out to the load-balancer – and possibly calling the web service another web server in the farm.  This will be much less efficient.
    • If this problem appeared to be inconsistent (sometimes erroring, sometime successful), this is most likely due having multiple web servers.  The call to the web service will be successful if by chance the load balance redirected the call to the same (self) web server to access the web service.  It will fail when trying to call across to a different web server.

References: