Access denied while crawling sites

3 minute read

Today I received the strangest error when I was configuring my SharePoint Virtual PC to crawl my websites. The crawler inserted a error for each web application containing the following text: Access Denied.

Since this was a new environment and I certainly know that the accounts where set correctly I was a bit amassed about the fact it would give this error. Checking the default content access account rights in the “Policy for Web Application” in Central Administration I saw that is was set correctly to “Full Read”.

I consulted one of my colleges but he also did not have an answer for this. The strange thing about all of this was that was a web application that was crawled. The difference between the application that was crawled and the other applications was that for the other applications I created a host name. The application that was crawled was using “Computername:Port number”.
After looking in de log files off SharePoint I found the following entry:

Couldn’t retrieve server http://dev.motion10-dev.local policy, hr = 80041205 – File:d:\office\source\search\search\gather\protocols\sts3\sts3util.cxx Line:543

Searching on this error with Google let me to a support page from Microsoft. The page states that when you are using Windows server 2003 SP1 or Windows XP SP2 authentication fails because Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Poorly Microsoft states that this only occurs when you are using Windows Server 2003 SP1 or Windows XP SP2. As I found out it also occurs when you are working with Windows Server 2008!

You can solve this problem by following one of the two solutions displayed below. I followed the second solution because I had this problem on a development machine. In a production environment I would have followed the first solution just like Microsoft recommends:

Solution 1:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK. You do not have to use a separation character just separate then by pressing enter.
7. Quit Registry Editor, and then restart the IISAdmin service.

Solution 2:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer.

You can read the complete Microsoft Support Page here: http://support.microsoft.com/kb/896861