Home > English, SharePoint, TechNotes > Kerberos authentication and NLB clusters

Kerberos authentication and NLB clusters

When you use Kerberos as the authentication mechanism with Sharepoint and want to configure NLB for load balanced front-end servers you will have to configure an extra SPN for the NLB cluster name. This is caused by the fact that Kerberos uses the hostname as a part of the Kerberos Ticket request, even if the URL used is something different. This is described in detail in Microsoft KB929650.

With the following scenario, set the SPN names accordingly:
NLB server A: SPServerA.MyDomain.com
NLB server B: SPServerB.MyDomain.com
NLB Cluster Name: SPNLB.MyDomain.com
Web Application Account: MyDomain\SharepointApp

SPN commands for NLB with Kerberos for the described scenario:
setspn.exe /A HTTP://SPServerA.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPServerB.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPNLB.MyDomain.com MyDomain\SharepointApp

Please note that all computer and application accounts must be enabled as trusted for delegation!


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: