Kerberos & Load-balanced web sites

Traditional restrictions around the way Kerberos works throw up a problem with setting up a load-balanced Kerberos-enabled web site. Basically, if you use port numbers to separate sites with the same DNS name on load-balanced web servers AND the sites run in application pools using different account names, you’re stuffed – the server will either not be able to decrypt the SPN using a different AD account key, or you will have 2 or more SPN’s created for the same site but 2 different accounts, generating a Duplicate SPN error.

When setting up a load-balanced SharePoint environment using Kerberos or Kerberos delegation, follow these guidelines to minimise hassle:

  • For each MOSS site accessed by clients, create a shared DNS name that clients will use to access the site. The name must be uniquely mapped (using Setspn.exe) to one user only
  • Create Alternate Access Mappings (AAM’s) in MOSS for the shared DNS name for each site (Web app)
  • Update the IIS Site (using the IIS Admin Tool) with the new HOST mappings that reflect the shared DNS name
  • To manage session transfer:
    • Use ASP.NET SQL Session management so all sessions are recorded in a central location OR
    • Use affinity on the switch so that concurrent requests from a particular IP address within the same session go to the same target server
  • If you are using Kerberos Delegation, follow the steps in my Kerberos SPN mapping blog entry
  • It is also worth creating unique DNS entries on each MOSS Web Application on each web server (and setting up SPN’s for those DNS entries if required for Delegation). This will allow you to quickly navigate to each specific server and determine where a failure exists if you have some users getting errors while others do not (this can be tough to do in a NLB configuration, unless you have this set up before the outage).

The diagram below describes how the information flows between servers during a Kerberos authentication request.

 image

I will keep adding to this post with hints & tips as I progress through more of these kerberos-based load-balanced rollouts.

Stay tuned!

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Kerberos. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s