Archive

Posts Tagged ‘Kerberos’

Kerberos authentication and NLB clusters

November 24, 2008 Leave a comment

When you use Kerberos as the authentication mechanism with Sharepoint and want to configure NLB for load balanced front-end servers you will have to configure an extra SPN for the NLB cluster name. This is caused by the fact that Kerberos uses the hostname as a part of the Kerberos Ticket request, even if the URL used is something different. This is described in detail in Microsoft KB929650.

With the following scenario, set the SPN names accordingly:
NLB server A: SPServerA.MyDomain.com
NLB server B: SPServerB.MyDomain.com
NLB Cluster Name: SPNLB.MyDomain.com
Web Application Account: MyDomain\SharepointApp

SPN commands for NLB with Kerberos for the described scenario:
setspn.exe /A HTTP://SPServerA.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPServerB.MyDomain.com MyDomain\SharepointApp
setspn.exe /A HTTP://SPNLB.MyDomain.com MyDomain\SharepointApp

Please note that all computer and application accounts must be enabled as trusted for delegation!

N’Joy!

%d bloggers like this: