From Mind To Words

VIVEK KUMBHAR's WEBLOG

Step by Step: Kerberos in NLB with Shared Content

Step by Step: Kerberos in NLB with Shared Content

  • Comments 4

SCENARIO:

IIS SERVER : WIN2K3OWA (192.168.0.2) and VIVEKKUMIIS (192.168.0.3)
NLB CLUSTER : TESTWEBLB (192.168.0.30)
FILE SERVER : WIN2KIIS-VPC (192.168.0.4)
DOMAIN : ANJANEYA.local (192.168.0.1)

All the servers are member of the ANJANEYA.local domain

CONFIGURATION:

Step 1:

Configuring NLB Cluster

Network Load Balancing can be installed from the Local Area Connection Properties.

Click TCP/IP properties and add the Virtual Cluster IP Address in the IP addresses.

Open Network Load Balancing Manager from Start -> All Programs -> Administrative Tools
Right click on Network Load Balancing Clusters and click New Cluster

Add the Cluster IP Address, Full Internet name and click Multicast.

Click Next.
You can add additional cluster IP addresses if required

Click Next.

Click Next.
Enter the Host and click Connect.

Click Next.
Verify that the settings are correct.
You can decide the Priority of the host on this screen.

Click Finish.
Now add other host in the cluster by right clicking on the cluster name and clicking Add Cluster Host.
You will get the following error

Double clicking on the error shows the following error:

Add the Cluster IP Address in the TCPIP properties on the second node and the issue will resolve.
The successful configuration of NLB Cluster nodes looks like this.

Step 2:

Share folder with adequate permission on the File Server

  1. Right click on the folder which contains the web content.
  2. Click Sharing and Security… (Windows 2003) and Sharing… (Windows 2000).
  3. Click Share this folder and type Share name in the text box (wwwroot).
  4. Click Permissions.
  5. Remove Everyone and click Add….
  6. Under Users, Computers and Groups, under Look in: select the Entire Directory or the domain name (Anjaneya.local).
  7. Under the text box, type Domain Users and click OK.
  8. Give Read permission for the Domain Users.
  9. Click Security Tab uncheck Allow inheritable permissions from parent to propagate to this object.
  10. Click Copy in the Security dialog box.
  11. Remove Everyone from the list and click Add….
  12. Under Users, Computers and Groups, under Look in: select the Entire Directory or the domain name (Anjaneya.local).
  13. Under the text box, type Domain Users and click OK.
  14. Give Read & Execute, List Folder Contents and Read permission for the Domain Users.

Step 3:

Creating User in Active Directory Users and Computers

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.
  2. Click the domain name that you created (Anjaneya.local), and then expand the contents.
  3. Right-click Users, point to New, and then click User.
  4. Type the first name (serviceaccount), last name, and user logon name of the new user (serviceaccount), and then click Next.
  5. Type a new password, confirm the password, and then click Password never expires.
  6. Click Next.
  7. Review the information that you provided, and if everything is correct, click Finish.

Step 4:

Configuring IIS on the Servers

Creating Application Pool in IIS

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services snap-in, click the name of the server (VIVEKKUMIIS) on which you want the Application Pool to be created.
  3. Right click on the Application Pools folder and click New and then click Application Pool….
  4. In Application pool ID: type the Application Pool name (Kerb).
  5. Under Application pool settings, click Use existing application pool as template.
  6. Select DefaultAppPool from the drop down Application pool name and click OK.
  7. Right click on the application pool we created (Kerb) and click Properties.
  8. Click Identity and click Configurable.
  9. Click Browse and click Locations…, select Entire Directory or the domain name (Anjanaye.local), click OK.
  10. Type the domain account we created (serviceaccount), click Check Names to verify the account.
  11. Click OK.
  12. Enter the password and confirm password, click OK.

Creating Website in IIS

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services snap-in, click the name of the server (VIVEKKUMIIS) on which you want the Web site to be created.
  3. Right click on the Web Sites folder and click New and then click Web Site….
  4. When the Web Site Creation Wizard starts, click Next.
  5. On the Web Site Description page, type your Web site description in the Description box (Kerb Test), and then click Next.
  6. On the IP Address and Port Settings page, click the Cluster IP address that you are using (192.168.0.30), type the TCP port you are using (if it is different than the default port), type the host header (testweblb), and then click Next.
  7. On the Web Site Home Directory page, type the path to your server's home directory in the Path box (\\WIN2K3-VPC\wwwroot), uncheck Allow anonymous access to this Web site and then click Next.
  8. On the Web Site Security Credentials, accept the defaults and then click Next.
  9. On the Web Site Access Permissions page, click Read and Run scripts (such as ASP) and then click Next.
  10. Click Finish, and then verify the creation of your Web site in the console tree in the left pane.
  11. Right click on the website (Kerb Test), click Properties.
  12. Click on Home Directory and under Execute Permission select Scripts only.
  13. Under Application Pool click on the drop down and select the application pool we created (Kerb).

Follow the above steps on the other IIS server as well.

Step 5:

Adding the domain user in IIS_WPG group on IIS Server

  1. Open Computer Management
  2. In the console tree, in Local Users and Groups, click Groups.
  3. Click the group (IIS_WPG) and click Properties.
  4. Click Add.
  5. Click Locations... and select the Entire Directory or the domain name (Anjaneya.local), click OK.
  6. Type the names of the users in the lower box (serviceaccount), and click Add.
  7. If you want to validate the user click Check Names.
  8. Click OK.

Step 6:

Configuring the User and Computers to delegate on the Domain

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.
  2. Click the domain name that you created (Anjaneya.local), and then expand the contents.
  3. Right click on the domain name (Anjaneya.local) and click Find….
  4. Under Find, select Users, Contacts, and Groups.
  5. Type the user name (serviceaccount) and then click Find Now.
  6. In the Search results pane you will find the user (serviceaccount), right click on it and click Properties.
  7. Click Account tab and under Account options: scroll down and check Account is trusted for delegation.
  8. Click OK.


  9. Under Find, select Computers.
  10. Type the computer name (VIVEKKUMIIS) and then click Find Now.
  11. In the Search results pane you will find the user (VIVEKKUMIIS), right click on it and click Properties.
  12. Click Trust computer for delegation.
  13. Click OK.


  14. Follow the steps from 9 to 13 for the other computer (WIN2K3OWA).

Step 7:

Create a DNS entry

  1. Click Start, point to Administrative Tools, and then click DNS console.
  2. Expand the Server Name, expand Forward lookup Zones.
  3. Expand the Domain Name (Anjaneya.local).
  4. Right click on the domain name and click New Host (A)….
  5. Under Name type the name you will be using for the virtual cluster (testweblb).
  6. Type the IP address of the virtual cluster (192.168.0.30).
  7. Check the Create associated pointer (PTR) record.

Step 8:

Create a SPN for the domain account

This is a Service Principal Name and it allows a client to connect/authenticate to a service. It basically identifies the service in Active Directory. If there is no SPN or it is invalid then we can't connect to service using Kerberos authentication.

Automatic registration of SPN

When a service starts it will attempt to automatically register an SPN. To do this it must be either a domain administrator or local system account.

Setspn.exe tool is part of the Windows Resource kit. You may already have this if you've installed resource kit. It will install to C:\Program Files\Resource Kit\ by default (when installed via resource kit). Use it to create, delete and list SPNs.

Windows Server 2003 Service Pack 2 32-bit Support Tools

Windows 2000 Resource Kit Tool : Setspn.exe for Windows 2000

Syntax:
SetSPN –A ServiceName/<ComputerName>.<DomainName> <AccountName>

Here:
SetSPN –A HTTP/testweblb.anjaneya.local anjaneya\serviceaccount
SetSPN –A HTTP/testweblb anjaneya\serviceaccount

Use QuerySPN.vbs file to verify the SPN’s created.

C:\>cscript queryspn.vbs http/testweblb
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

CN=serviceaccount,CN=Users,DC=Anjaneya,DC=local
Class: user
User Logon: serviceaccount
-- http/testweblb
-- http/testweblb.anjaneya.local

You will need to replicate the Active Directory to reflect the changes or logoff and login on the client to test the application.

Step 9:

Configure Internet Explorer

  1. Open Internet Explorer.
  2. Click Tools -> Internet Options….
  3. Click Security tab and click Customer Level….
  4. Under User Authentication, verify that you have Automatic logon only in Intranet zone.
  5. Click Sites… click Advanced… and add the URL in the Add this Website in this zone: if the URL has a dot(.) in it.
  6. Click Add and click Close.
  7. Click OK.
  8. Click on Advanced tab and under Browsing uncheck the Show friendly HTTP error messages and under Security verify that you have Enable Integrated Windows Authentication checked.
  9. Click OK.
  10. Restart Internet Explorer.

Browse the website, http://testweblb and walla..

Hope this helps you configure Kerberos in your network.

Stay tuned for more on Kerberos Configuration and Troubleshooting

Comments
  • Hi Vivek,

    If we were running TWO iis website on the NLB environment, and using the same IP address for both, would this have any issues with Kerberos setup? Particularly with regards to DNS.

    1 DNS record is setup as an A record with a PTR

    the other is set up as a CNAME with no PTR...

    Cheers

    Gavin

  • Hello Gavin,

    I don't see any issue when you have two websites in NLB environment and using the same IP.. but the two websites will be identified using hostheaders and you will need to configure SPN's for both the websites.

    I suggest you use A(HOST) record entry for both the websites.

  • Hi as a IIS n00b, under what context or for what reason would you use this kind of setup? Can you provide an example of when this model would be approriate?

  • Hello Richard,

    The purpose of writing this blog post was to give an example of a scenario where the customer wants to implement NLB for his websites having content on a File Server or on a NAS drive and want Kerberos authentication.

    Let me know if you have further questions.

Page 1 of 1 (4 items)
Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post