When you have more than 1 web front end configured with load balancing / DNS round-robin, you will find that web service calls start to fail. For example, the GetUserProfile function that allows you to look up user information from the User Profile database will fail with the following error.
The remote server returned an error: (401) Unauthorized.
This is due to a double-hop authentication issue and occurs when you are using NTLM as your authentication method. Several guides suggest using Kerberos as a fix but our environment is not ready to implement it yet. Kerberos is also a pain in the ass to set up and work with.
Note that this is not a solution but a work-around. We eventually want to go with Kerberos in our environment, but in the meantime the following work-around is sufficient for us. You will need to do two things to get this working.
Modify the host file on all your Web front end servers.
- Browse to c:\windows\system32\drivers\etc
- Open NotePad as an administrator and open the ‘hosts’ file located in the above directory.
- Copy the contents of the file.
- Run another instance of NotePad as an administrator and paste the copied contents into the new file.
- Delete the ‘hosts’ file located in step 1.
- Add the hostnames for the websites you are hosting and point it to the REAL IP address of the server, e.g. 192.168.1.212.
- Save the file in the same location as step 1, ensure that it is called ‘hosts’ with no file extension.
- Perform the above steps on all of your web front ends, changing the IP address in the ‘hosts’ file to the IP address of each server.
Modify the registry of all your Web front end servers.
- Go to Start -> Run -> RegEdit
- Browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Create a new Multi-String Value called BackConnectionHostNames
- Right click on BackConnectionHostNames and click Modify.
- Enter the hostnames of each of your websites, one on each line.
- Save your changes.
- Restart the IIS Admin Service.
- Perform the above steps on all of your web front ends.
Test by opening an InfoPath form that uses the GetUserProfile function, you should no longer receive an error and the form should populate automatically with user information.
- Short break
- Speed up SharePoint using the IIS Blobcache
- Could not generate mail report.An exception occurred while executing a Transact-SQL statement or batch.No global profile is configured. Specify a profile name in the @profile_name parameter.
- Microsoft SharePoint is not supported with version 4.0.30319.296 of the Microsoft .Net Runtime.
- PowerShell script to update all Site Collection Owners
- SharePoint Keeps Prompting for Credentials Problem SharePoint keeps prompting you for credentials in the following scenarios: You ...
- Security Token Service Application- Broken Problem Had an issue today on one of my developer's VMs. ...
- User Profile Service Stuck on Starting Problem You have followed Harbar's Rational Guide to setting up the ...
- Event 8313 Topology – Load Balancer EndpointFailure – SearchService.svc Problem Encountered the following error while analysing the logs on our ...
- Event 6398 and 5586 SharePoint Foundation Problem Event logs were getting filled with the following errors: Event 5586, ...
- The security validation for this page is invalid Problem: After applying SharePoint 2010 Service Pack 1 and June 2011 ...
- The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered. Problem You install .NET Framework 4.0 on your SharePoint 2010 WFE ...
- Start a workflow using PowerShell Requirement Start a workflow on all / specific items in a ...
- Using Export-SPWeb to export libraries / lists This is a simple one but many people get the ...
- Unable to change User Profile Service Account Problem So you made a mistake by trying to change the ...