-
Posted to
Security
by
Kapn.K
on
09-02-2009, 12:58 PM
After completing delegation from load balanced iis(6) to clustered file servers for the sites' roots, another problem arose. One application accesses a report server cluster through code. It uses the ssl url: http://sqlcluster.fqdn/reportserver
Does the spn need to be http/sqlcluster.fqdn or something else? The app pool identity on the ...
-
Posted to
Web Farms
by
Kapn.K
on
08-26-2009, 2:42 PM
It was indeed to the network name of the file server on the cluster. I now have a corporate intranet application using IWA on a load balanced IIS set accessing remote files on a failover cluster! I couldn't have done it without this forum. This has taken me 4 months to complete(I also support daily operations of hundreds of apps). I am now ...
-
Posted to
Web Farms
by
Kapn.K
on
08-26-2009, 9:14 AM
Yep. I know about that. After creating the spn against the account, from the delegation tab for the account properties(delegation tab is now available after creating spn), I check allow delegation and list the services that I'm delegating to(CIFS/netbios, CIFS/fqdn, HOST/netbios, HOST/fqdn). My question is what values for the file server ...
-
Posted to
Web Farms
by
Kapn.K
on
08-25-2009, 2:12 PM
App Pools in IIS run under a domain account because they are part of a load balanced web farm. Sites need pass-through authentication to pass user credentials to the back-end failover cluster attached to a SAN. This will allow the use of NTFS permissions for the sites(it's a corporate intranet). HOST and CIFS are built-in service principal ...
-
Posted to
Web Farms
by
Kapn.K
on
08-25-2009, 12:30 PM
I have 2 network names. 1 for the cluster and one for the file server resource. When I configure the account, that runs app pools on my nlb, to delegate to the host and cif's service(cluster attached to san), I use the file server name(b/c that's what I specify in IIS file location), right? The person that built the cluster did so w/o ...
-
Posted to
Security
by
Kapn.K
on
08-17-2009, 4:13 PM
Love "The Office" but I don't get to watch it enough. The constraints as I understand is only one spn may be registered. The spn part of my example would be http\webapp1... and I am registering it to a domain account. Maybe webapp1 isn't a good example. Let's say my domain is kapnk.com. I have financeapp.kapnk.com and ...
-
Posted to
Security
by
Kapn.K
on
08-17-2009, 2:57 PM
If I have multiple app pools on a server, and SPN's created for each website(ie: setspn -a http\webapp1.example.com domain\account, and setspn -a http\webapp2.....), Will kerberos still work? I thought I read a while back the I can only have one account that all the app pools would run as or force NTLM. Is this correct? I need kerberos ...
-
Posted to
Web Farms
by
Kapn.K
on
07-10-2009, 9:44 AM
Thanks Paul.
I thought I was on the right track but just wanted to make sure. Between development, test, and production, I've got about 150 sites to migrate from being on single boxes to the high availablility environment.
Steve
-
Posted to
Web Farms
by
Kapn.K
on
07-09-2009, 5:04 PM
I have nlb groups and multiple sites(each site has own application pool).
I would like to have one account that all the app pools run under.
I couldn't get kerberos working(necessary for remote file-share webroot) using the machine accounts but I was able to with a user account.
Do I need to do this for each site(not machine)?
setspn -A ...
-
Posted to
Security
by
Kapn.K
on
06-17-2009, 4:53 PM
I'd like to thank Tom and Lex for the progress I've made so far. I had Kerberos only on delegation of authority for the IIS machine account(2003 functional level). Changed it to any and added cifs and host for the services it can delegate to on the file servers. Did I miss one? It used NTLM(fine for now, I'll work kerberos out later). ...