I’ve come across this issue a few times before so thought it wise to make a note here.
When I do an SBS 2003 to 2008 migration I always seem to come across the following SharePoint warning/error in the application event log every 5 minutes after running through the Internet Address Management Wizard. The purpose of this wizard is to setup Microsoft Exchange, Windows SharePoint Services etc for your external access address (ie remote.companyname.com).
Log Name: Application
Source: Windows SharePoint Services 3 Search
Date: 19/03/2010 2:05:13 PM
Event ID: 2436
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: server.companyname.internal
Description:
The start address <sts3s://remote.companyname.com:987/contentdbid={ddfe36b2-4c21-45cc-84cc-0ee8bc5b18d4}> cannot be crawled.Context: Application ‘Search index file on the search server’, Catalog ‘Search’
Details:
Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has “Full Read” permissions on the SharePoint Web Application being crawled. (0×80041205)
and
Log Name: Application
Source: Windows SharePoint Services 3 Search
Date: 19/03/2010 2:05:13 PM
Event ID: 2424
Task Category: Gatherer
Level: Error
Keywords: Classic
User: N/A
Computer: server.companyname.internal
Description:
The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.Context: Application ‘Search’, Catalog ‘index file on the search server Search
The fix and explanation for this issue can be found here: http://blogs.technet.com/sbs/archive/2009/05/07/event-2436-for-sharepoint-services-3-search.aspx
Cause
You receive above warning events because WSS3.0 Search service is trying to crawl the WSS content via the URL – remote.domain.com, which is mentioned in above event. Windows Server 2008 includes a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, Kerberos authentication on Default Content Access Account fails if this URL does not match the local computer name and is not registered in system as additional Service Principle Name (SPN).
Resolution
To resolve this issue, it is recommended to manually register the URL in your system, or even disable the Loopback check feature. To register this URL, please use the following steps,
Note: We recommend that you use this method.
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the URL mentioned in the above warning event, and then click OK.
- Quit Registry Editor, and then restart the IIS service.
If you want to disable Loopback Check feature to work around this issue, please refer to the Method 2 in the following KB article
896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
More Information
WSS3.0 Search service crawls the WSS content by default Alternate Access Mapping Zone. Not like normal WSS 3.0 website, which uses http://SiteName as the default Alternative Access Mapping, SBS 2008 server uses https://remote.domain.com:987 as the default Zone. This is by design, and we do not recommend changing it to http://companyweb, as it may break the SBS specific settings.
Additionally, changing the Default Content Access Account for content crawl is NOT officially supported method to work around this issue, as it has not been tested and can cause other potential issues.