« Previous Next »

• 08-25-2009, 12:30 PM

  Kapn.K Joined on 03-18-2009, 8:54 PM Posts 12

  Help with backend failover cluster SPN delegation. Reply Contact I have 2 network names. 1 for the cluster and one for the file server resource. When I configure the account, that runs app pools on my nlb, to delegate to the host and cif's service(cluster attached to san), I use the file server name(b/c that's what I specify in IIS file location), right? The person that built the cluster did so w/o creating the computer objects for the cluster name and file server name(we don't have permissions to create the accounts but I can work with the people that do). Can I just create the file server name and spn's for that name and give permission to the cluster service account? Or do I need to create the cluster name object as well? Thanks, Steve

  Tags: Load BalancingNLBIIS and MSCSclusteringMSCSclusterweb farmfailoverApplication Pooldelegationkerberosiis 6.0IIS 6.net 2.0webfarmNetwork NameService Principal NameComputer object

• 08-25-2009, 1:53 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,791	Re: Help with backend failover cluster SPN delegation. Reply Contact I am failing to see what this has to do with IIS it seems a nlb issue. What do you mean you are using the app pool account to delegate the hosts and cif (? what is that?) service?     http://www.iisportal.com

• 08-25-2009, 2:12 PM

  In reply to

  Kapn.K Joined on 03-18-2009, 8:54 PM Posts 12

  Re: Help with backend failover cluster SPN delegation. Reply Contact App Pools in IIS run under a domain account because they are part of a load balanced web farm. Sites need pass-through authentication to pass user credentials to the back-end failover cluster attached to a SAN. This will allow the use of NTFS permissions for the sites(it's a corporate intranet). HOST and CIFS are built-in service principal names for computer accounts. Host is, well, HOST and CIFS is Common Internet File System.

• 08-26-2009, 6:08 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM UK Posts 1,247

  Re: Help with backend failover cluster SPN delegation. Reply Contact Hi, If you are using a domain account as the identity for your application pool then you need to explicitly register the relevant SPN against that account in AD, otherwise Kerberos authentication will fail. Refer to this KB article for details of how to do this : How to use SPNs when you configure Web applications that are hosted on IIS 6.0 Regards, Paul Lynch | www.iisadmin.co.uk

• 08-26-2009, 9:14 AM

  In reply to

  Kapn.K Joined on 03-18-2009, 8:54 PM Posts 12

  Re: Help with backend failover cluster SPN delegation. Reply Contact Yep. I know about that. After creating the spn against the account, from the delegation tab for the account properties(delegation tab is now available after creating spn), I check allow delegation and list the services that I'm delegating to(CIFS/netbios, CIFS/fqdn, HOST/netbios, HOST/fqdn). My question is what values for the file server cluster(what do I use for netbios and fqdn value). The cluster(through Microsoft Clustering Services) has two network names. One for the cluster name and one for the file server name. From the cluster manager, one of these names needs "enable kerberos" from the parameters tab. I think I've decided that it needs to be the file server network name. This is what I use to connect to from the iis servers. I'm going through the process and I'll post my results. Thanks, Steve

• 08-26-2009, 2:42 PM

  In reply to

  Kapn.K Joined on 03-18-2009, 8:54 PM Posts 12

  Re: Help with backend failover cluster SPN delegation. Reply Contact It was indeed to the network name of the file server on the cluster. I now have a corporate intranet application using IWA on a load balanced IIS set accessing remote files on a failover cluster! I couldn't have done it without this forum. This has taken me 4 months to complete(I also support daily operations of hundreds of apps). I am now going to get some more ips and spns to get two apps working. These efforts will probably break the first one but will teach me more about kerberos. I will start another thread detailing that experience. Steve

• 08-27-2009, 3:48 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM UK Posts 1,247	Re: Help with backend failover cluster SPN delegation. Reply Contact Hi, That's great. Glad you got it all working. Regards, Paul Lynch | www.iisadmin.co.uk