Re: Kerberos Constraint Delagation Issues with NLB

On 27 août, 04:24, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
You can't have two different service accounts with the same SPN. That will
cause chaos. There would probably be Kerberos errors in the system event
logs on the machines receiving the auth with an error like "incorrec
principal" or "err_ap_modified" or something.

I think you should be able to get this to work if you use the same service
account on both machines and configure the single SPN on that account.

I haven't done this with Windows NLB, but this does work ok with a
stand-alone load balancer like an F5 big IP.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"BZP" <p.audon...@xxxxxxxxx> wrote in message

news:1188075069.028985.124320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hello,

I've got a problem with kerberos constraint delagation and NLB.
Hum, let me describe my infrastrcuture :

An ISA Server 2006 called ISA.MY.DEV.
Deux IIS 6 web server called WEB1.MY.DEV and WEB2.MY.DEV. NLB is
configured on these servers, FQDN : WEB.MY.DEV.
I created a domain service account for application pool. I add SPN
http/web.my.dev on each IIS ad account.
I created a web publication rule on my ISA and activated Constraint
delagation. I specified the SPN http/web.my.dev.
I speficied this SPN in my ISA account delagation tab.
It doesn't work.

If i modified my rule on ISA, redirect on web1 instead of web and
specified SPN http/web1.my.dev, it's work, but when i speficied NLB ip
and NLB SPN, ISA application log tell me : impossible to find http/
web.my.dev on AD.

Does kerberos constraint delegation is ok with NLB target ?

Thanks.- Masquer le texte des messages précédents -

- Afficher le texte des messages précédents -

Allright ! Thanks Joe.

--
P.A.

.

Relevant Pages

  • Re: Integrated Windows Authentication Timeout?
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... long as they are all on the same account. ... SPN exists on the account that is running the service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Integrated Windows Authentication Timeout?
    ... I think you can probably fix that problem by adding the SPN that is being ... queried for to the account running the service. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos Constraint Delagation Issues with NLB
    ... You can't have two different service accounts with the same SPN. ... account on both machines and configure the single SPN on that account. ... I've got a problem with kerberos constraint delagation and NLB. ... I created a web publication rule on my ISA and activated Constraint ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation problems
    ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Ldap Binding + Kerbros error
    ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ...
    (microsoft.public.windows.server.active_directory)