Traditional restrictions around the way Kerberos works throw up a problem with setting up a load-balanced Kerberos-enabled web site. Basically, if you use port numbers to separate sites with the same DNS name on load-balanced web servers AND the sites run in application pools using different account names, you’re stuffed – the server will either not be able to decrypt the SPN using a different AD account key, or you will have 2 or more SPN’s created for the same site but 2 different accounts, generating a Duplicate SPN error.
When setting up a load-balanced SharePoint environment using Kerberos or Kerberos delegation, follow these guidelines to minimise hassle:
- For each MOSS site accessed by clients, create a shared DNS name that clients will use to access the site. The name must be uniquely mapped (using Setspn.exe) to one user only
- Create Alternate Access Mappings (AAM’s) in MOSS for the shared DNS name for each site (Web app)
- Update the IIS Site (using the IIS Admin Tool) with the new HOST mappings that reflect the shared DNS name
- To manage session transfer:
- Use ASP.NET SQL Session management so all sessions are recorded in a central location OR
- Use affinity on the switch so that concurrent requests from a particular IP address within the same session go to the same target server
- If you are using Kerberos Delegation, follow the steps in my Kerberos SPN mapping blog entry
- It is also worth creating unique DNS entries on each MOSS Web Application on each web server (and setting up SPN’s for those DNS entries if required for Delegation). This will allow you to quickly navigate to each specific server and determine where a failure exists if you have some users getting errors while others do not (this can be tough to do in a NLB configuration, unless you have this set up before the outage).
The diagram below describes how the information flows between servers during a Kerberos authentication request.
I will keep adding to this post with hints & tips as I progress through more of these kerberos-based load-balanced rollouts.