Kerberos authentication on a Network Load Balancer
Hi everyone,Firstly, thank you for reading this! I am having a tough time trying to crack this problem.The farm I am working on consists of four MOSS 2007 (SP2) servers sitting on Windows 2008 servers.Two are front end Web servers in a NLB. My central administration site is hosted on a dedicated server that is not part of the NLB.I have just configured Kerberos, for the CA site, and SSP, and this works beautifully.My problem is getting Kerberos working for portal sites hosted on the NLB, it just fails beack to NTLM everytime.I have a question about SPNs; do I have to, and if so, how do I create a SPN for the virtual name of the NLB? It hosts a lot of portal sites, which each have their own Web application and service account... I cant understand this part!Any help would be gratefully received.
February 25th, 2010 6:50pm
You should not have the need to create SPN's for the virtual name of the NLB. I assume you should have SPN's set up for each of the web applications and since the web application are all replicated across the WFE's you should be good.Please refer http://technet.microsoft.com/en-us/library/ee806870(office.14).aspx and http://technet.microsoft.com/en-us/library/cc263449.aspx to configure SPN's. Make sure you have defined port numbers in your SPN's.You may also see the following link http://blogs.msdn.com/johnlee/archive/2008/11/09/deploy-moss-medium-farm-using-kerberos-authentication-on-windows-2008-server-nlb.aspxLet me know if any of this helps.
February 25th, 2010 10:44pm
Hi, I agree with VikSrini. As far as I know, Kerberos authentication is set up per web application. Here how I usually use Kerberos for a web application : 1-Go to Central Admin > Web application management > Authentication providers > Pick a the web application in the selector > Click on the desired zone > Select Negotiate (Kerberos) in the authentication settings. 2-Open a command line console>At the prompt, Type : SETSPN -A HTTP/URL_USED_TO_ACCES_THE_WEBAPP DOMAIN\THE_WEB_APP_APP_POOLACCOUNT It is recommended to SetSpn all DNS and NetBios names used for the web application. Hope this helps. Regards, Djamel Chagour http://spbyexamples.blogspot.com/ http://mosslogviewer.codeplex.com/
February 26th, 2010 4:53am
Hi Viksrini,Thank you for offering advice. I have created SPNs for all portal sites, as well as the central administration & ssp. The central administration site, and the SSP site are hosted on one of the application servers, that is not part of the NLB. These (the CA and SSP) site authenticate with Kerberos. I have used both NetMon and Kerbtray.exe to prove that it works. Kerbtray shows the ticket has been sent to the client, and NetMon shows successful authentication using Kerberos.The problem is when I access a portal site that is hosted on the NLB. Even though the SPN has been created (and I am sure that it was created the same way as the CA & SSP SPNs), and Kerberos/Negotiate selected as the authentication provider for the Web application, it still fails back to NTLM.NetMon is reporting "KRB_ERRO -KDC_ERR_S_PRINCIPAL_UNKNOWN (7)" which kind of implies that the SPN is not correct, but I am sure that I have done it the same way as I have for the CA site!AAArgh!! :)
February 26th, 2010 10:52am
Steve,Have the SPN's been set up with port numbers appended at the end of the URL's? Also, since you have windows server 2008, there were some known issues with Kerberos in windows server 2008 which were fixed by MS in SP1. IT seems Kerberos has a problem withe double hop which was fixed in SP1. It may be worthwhile checking that as well.We had to roll back from server 2008 to 2k3 due to kerberos issues. Also, check this link http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspxAlso, you can use the deleg config to make sure u have all the SPN's set up right and Kerberos workinghttp://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspxI have used this before and it is an awesome tool to use.
February 26th, 2010 6:12pm
Hey VikSrini,Thanks again for your advice. I havent set the port number for the SPN as I am using default port 80.I've just opened up the first article that you mentioned, it looks quite promising, so hopefully with the tool as well I should be able to get it resolved.I will post my resolution once I have found it!CheersSteve
March 1st, 2010 3:54pm