Friday, June 4, 2010

Making a SharePoint 2010 site externally available (Alternate Access Mappings, Host Header Bindings)

Scenario:
How to make a SharePoint 2010 site externally available?

Explanation:
This is a very fundamental scenario that many SharePoint developers may encounter in the SharePoint world.

In order to make a SharePoint site externally available, we need to follow the below steps

Point the desired host name (i.e. portal.sitename.com for example) to the public ip address of the SharePoint server (may it be the ip of the server in a single server farm or the load balancer in a multi server farm). Typically the network administrator does this. Once that has been set, all the requests for http://portal.sitename.com will be directed to the specified SharePoint Server. But the SharePoint server needs to know which site to serve for such requests. Therefore we need to configure host name bindings in IIS.

Open up IIS Manager and select the desired sharepoint site and choose "Edit Bindings"




In the resulting screen, click edit




Next, provide the host name (portal.sitename.com in this case)



Now its time to configure Alternate Access Mappings in SharePoint.
Go to Central Admin > Application Management > Alternate Access Mappings.


 
Click on "Edit Public URLs" and then choose the appropriate Alternate Access Mapping Collection.



All looks fine now. At this point, if you create a new site collection and try to access the host (http://portal.sitename.com) from a different machine than the server, it works. But if you try to access the host from within the server, you may get a 404 page not found error.

While we are aware of the problems that SharePoint can encounter related to the Windows Server loopback check issue and host headers, I just wanted to reiterate that while it is OK to outright disable the check in dev/qa environments, we should instead be specifying a list of acceptable host names in the registry for production environments.

Completely disabling the check is a security hole that would likely be picked up should one of our production environments be audited.

Both techniques for handling the Loopback check issue are covered in this KB article: http://support.microsoft.com/kb/896861

Thanks a lot to our Practice Lead David Perkinson for helping me resolve this issue.

Specify host names (Preferred method if NTLM authentication is desired)
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
  1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base: 281308 (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
  2. Click Start, click Run, type regedit, and then click OK.
  3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  4. Right-click MSV1_0, point to New, and then click Multi-String Value.
  5. Type BackConnectionHostNames, and then press ENTER.
  6. Right-click BackConnectionHostNames, and then click Modify.
  7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  8. Quit Registry Editor, and then restart the IISAdmin service.
Now we should be able to access the site using the host name both internally as well as externally.

No comments:

Post a Comment