Archive
Kerberos authentication and NLB clusters
When you use Kerberos as the authentication mechanism with Sharepoint and want to configure NLB for load balanced front-end servers you will have to configure an extra SPN for the NLB cluster name. This is caused by the fact that Kerberos uses the hostname as a part of the Kerberos Ticket request, even if the URL used is something different. This is described in detail in Microsoft KB929650.
With the following scenario, set the SPN names accordingly:
NLB server A: SPServerA.MyDomain.com
NLB server B: SPServerB.MyDomain.com
NLB Cluster Name: SPNLB.MyDomain.com
Web Application Account: MyDomain\SharepointApp
SPN commands for NLB with Kerberos for the described scenario:
setspn.exe /A HTTP://SPServerA.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPServerB.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPNLB.MyDomain.com MyDomain\SharepointApp
Please note that all computer and application accounts must be enabled as trusted for delegation!
N’Joy!
Share
About the author
Currently I'm working as a senior advisor with focus on how to make technology provide actual business values and align the business, the organization and the technology towards a unified goal.
“Lasse Wikmark”@the.net
- An error has occurred; the feed is probably down. Try again later.
Lasse Wikmark 