Tuesday, March 01, 2011

Configuring BackConnectionHostNames for the Loopback Check

Its not always easy doing the right thing. At this stage, we all probably know about the issue with trying to access a site with a host name on Windows Servers (http://support.microsoft.com/kb/896861).

You probably know that there are two ways of dealing with this issue - disabling the check or providing a safe list of sites.

The easiest thing to do is disable the check. But that doesn't make it right. The check is there to protect your system against nasties that want to do bad things to your server.

So that leaves us with the option of defining a safe list of addresses that the server can access locally. Sounds easy, but I've had problems every now and again with getting this to work and the temptation is to just revert to disabling the check. So I thought I'd share some rules that I follow when setting the BackConnectionHostNames entry:

1. Don't include the protocol - e.g. "mywebsite" rather than "http://mywebsite"
2. Put each entry on it's own line
3. Use lowercase - e.g. "mywebsite" rather than "MyWebSite"
4. If it is an internal site, include the short name as well as the fully qualified domain name (e.g. "mywebsite" and "mywebsite.domain.somewhere.local")
5. Reboot after you have created the BackConnectionHostNames registry entry. I believe that you don't need to reboot for subsequent changes to this key, but I probably would - call me superstitious.