Here's my scenario:
We have two load balanced (behind F5 Big IP) Server 2008 servers hosting internal applications on IIS7. There are 50+ sites on each server.
Each site has it's own binding on port 80. We set CNAMEs to the load balanced name. So, SITE1 will CNAME to SITE1.redirect.com.
Each site is a member of its own app pool, running under a unique AD account. We have SPNs set on the accounts like this:
setspn -a http/site1 domain\ap-site1
setspn -a http/site1.redirect.com domain\ap-site1
Windows auth is enabled on 95% of the sites and services.
Here's the problem - When somebody deploys a site or application to the farm that consumes a web service on the same farm, under a different site, we receive a 401 about 25% of the time for those sites using windows authentication. The 401 shows up anytime the two load balanced calls hit the same server - ie, site1 on server1 calls site2/webservice on server1. If the call is server1 -> server2, or vice versa, it works.
If I take one node out of service, the call will fail 100% of the time, as site1 is always hitting site2.
I tried to remove Negotiate on the application in IIS to force it back to NTLM, which I know worked in IIS6, but in 7 it doesn't seem to work.
Does anybody have any suggestions? I can turn on anonymous to "fix" it, but I'd prefer not to.