SharePoint Multiple WFE Double Hop Authentication Fix

By On July 11, 2012 · Leave a Comment · In Administration

Problem

When you have more than 1 web front end configured with load balancing / DNS round-robin, you will find that web service calls start to fail. For example, the GetUserProfile function that allows you to look up user information from the User Profile database will fail with the following error.

The remote server returned an error: (401) Unauthorized.

Cause

This is due to a double-hop authentication issue and occurs when you are using NTLM as your authentication method. Several guides suggest using Kerberos as a fix but our environment is not ready to implement it yet. Kerberos is also a pain in the ass to set up and work with.

Work Around

Note that this is not a solution but a work-around. We eventually want to go with Kerberos in our environment, but in the meantime the following work-around is sufficient for us. You will need to do two things to get this working.

Modify the host file on all your Web front end servers.

  1. Browse to c:\windows\system32\drivers\etc
  2. Open NotePad as an administrator and open the ‘hosts’ file located in the above directory.
  3. Copy the contents of the file.
  4. Run another instance of NotePad as an administrator and paste the copied contents into the new file.
  5. Delete the ‘hosts’ file located in step 1.
  6. Add the hostnames for the websites you are hosting and point it to the REAL IP address of the server, e.g. 192.168.1.212.
  7. Save the file in the same location as step 1, ensure that it is called ‘hosts’ with no file extension.
  8. Perform the above steps on all of your web front ends, changing the IP address in the ‘hosts’ file to the IP address of each server.

Modify the registry of all your Web front end servers.

  1. Go to Start -> Run -> RegEdit
  2. Browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Create a new Multi-String Value called BackConnectionHostNames
  4. Right click on BackConnectionHostNames and click Modify.
  5. Enter the hostnames of each of your websites, one on each line.
  6. Save your changes.
  7. Restart the IIS Admin Service.
  8. Perform the above steps on all of your web front ends.

Test by opening an InfoPath form that uses the GetUserProfile function, you should no longer receive an error  and the form should populate automatically with user information.

References

http://support.microsoft.com/kb/896861
http://mshorrosh.blogspot.com.au/2012/04/error-publishing-sharepoint-2007-w.html

Tagged with:
 
If you enjoyed this article, please consider sharing it!