http://forums.iis.net/1036.aspxQuestions about using IIS in a load-balanced environmentenCommunityServer 2007 SP1 (Build: 20510.895)http://forums.iis.net/thread/1909879.aspxFri, 10 Jul 2009 13:44:08 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1909879Kapn.K0http://forums.iis.net/thread/1909879.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1036&PostID=1909879<p>Thanks Paul.</p> <p>I thought I was on the right track but just wanted to make sure. Between development, test, and production, I&#39;ve got about 150 sites to migrate from being on single boxes to the high availablility environment. </p> <p>Steve</p>http://forums.iis.net/thread/1909845.aspxFri, 10 Jul 2009 08:23:04 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1909845Paul Lynch0http://forums.iis.net/thread/1909845.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1036&PostID=1909845<p>Hi,</p><p>You need to register one SPN for each URL that you intend to use. Your approach is correct and will not cause duplicate SPN&#39;s.</p><p>You can register multiple SPN&#39;s against one domain account but, conversely,&nbsp; you cannot register one SPN against more than one domain account as that will result in duplicate SPN&#39;s.</p><p>Once you have got your environment configured I would suggest using&nbsp; the DelegConfig tool to test your setup. I have configured a number of applications to use kerberos and I always use this tool to check that everyting is setup correctly :</p><p><a href="http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx">http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx</a></p><p>Regards, <br /></p>http://forums.iis.net/thread/1909815.aspxThu, 09 Jul 2009 21:16:37 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1909815Rovastar0http://forums.iis.net/thread/1909815.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1036&PostID=1909815<p>&nbsp;I haven&#39;t setup any Kerboes stuff but does this help?</p><p>http://blogs.msdn.com/saurabh_singh/archive/2007/01/29/kerberos-troubleshooting-from-iis-perspective.aspx </p><p>http://blogs.iis.net/webtopics/archive/2009/05/22/3-simple-steps-for-configuring-an-spn-for-your-website.aspx </p><p>http://support.microsoft.com/kb/929650 </p><p>Or maybe this app. <br /></p><p>http://www.iis.net/downloads/default.aspx?tabid=34&amp;g=6&amp;i=1887 <br /></p>http://forums.iis.net/thread/1909814.aspxThu, 09 Jul 2009 21:04:15 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1909814Kapn.K0http://forums.iis.net/thread/1909814.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1036&PostID=1909814<p>I have nlb groups and multiple sites(each site has own application pool).</p> <p>I would like to have one account that all the app pools run under.</p> <p>I couldn&#39;t get kerberos working(necessary for remote file-share webroot) using the machine accounts but I was able to with a user account.</p> <p>Do I need to do this for each site(not machine)?</p> <p>setspn -A HTTP/website1.domain.com domain\service account</p> <p>setspn -A HTTP/website2.domain.com domain\service account</p> <p>Or does that cause the duplicate SPN? If so, do I need a separate service account for each site/app pool?</p> <p>Thanks,</p> <p>Steve</p> <p>&nbsp;</p>