BackConnectionHostNames configuration

When you start the Dynamics 365 Business Central Web Client, you may encounter the message “Access Denied.” This is caused by a Windows security feature. You can resolve this by disabling the loopback check functionality or by configuration of the BackConnectionHostNames registry key.

The BackConnectionHostNames configuration is a Windows registry setting used to resolve issues with local access to a server via a Fully Qualified Domain Name (FQDN) or a CNAME alias. This issue can occur after installing certain Windows Server updates — for example, for Windows Server 2003 Service Pack 1.

When you try to access a server locally using the FQDN or CNAME alias, you might receive error messages like “Access Denied” or “No network provider accepted the given network path.” This is due to a security feature called loopback check functionality, which is enabled by default.

Start configuration of the BackConnectionHostNames registry entry

Here are the steps:

1. Open the Registry Editor (regedit).
2. Navigate to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click on the Lsa key, select New, and then click on Multi-String Value.
4. Name it BackConnectionHostNames and press Enter.
5. Right-click on BackConnectionHostNames and select Modify.
6. In the Value data field, enter the CNAME or DNS alias used for the local shares on the computer, and click OK.

After completing these steps, you should be able to access the server locally using the FQDN or CNAME alias without any issues.

Configuration of BackConnectionHostNames versus Disabling Loopback Check

Both BackConnectionHostNames and disabling loopback check address the same problem — local access using a FQDN or alias — but they do so in different ways.

Advantages of BackConnectionHostNames:

• Targeted solution: Only disables loopback check for the specified hostnames, leaving the security feature intact for all others.
• Security: Maintains protection against certain types of attacks (e.g., reflection attacks) for non-specified connections.

Disadvantages of disabling loopback check entirely:

• Reduced security: Turning off loopback check system-wide can expose your system to potential attacks.
• Less control: It’s a broader measure and doesn’t allow fine-grained control over which connections are affected.

In summary, configuring BackConnectionHostNames offers a more targeted and secure approach to resolving local access issues. Disabling the loopback check is a more general and potentially less secure alternative.

More information can be found in this Microsoft KB article:
Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1 – Windows Server | Microsoft Learn

More information about Dynamics 365 Business Central can be found here.