All the servers are member of the ANJANEYA.local domain
Configuring NLB Cluster
Network Load Balancing can be installed from the Local Area Connection Properties.
Click TCP/IP properties and add the Virtual Cluster IP Address in the IP addresses.
Open Network Load Balancing Manager from Start -> All Programs -> Administrative ToolsRight click on Network Load Balancing Clusters and click New Cluster
Add the Cluster IP Address, Full Internet name and click Multicast.
Click Next.You can add additional cluster IP addresses if required
Click Next.Enter the Host and click Connect.
Click Next.Verify that the settings are correct.You can decide the Priority of the host on this screen.
Click Finish.Now add other host in the cluster by right clicking on the cluster name and clicking Add Cluster Host.You will get the following error
Double clicking on the error shows the following error:
Add the Cluster IP Address in the TCPIP properties on the second node and the issue will resolve.The successful configuration of NLB Cluster nodes looks like this.
Share folder with adequate permission on the File Server
Creating User in Active Directory Users and Computers
Configuring IIS on the Servers
Creating Application Pool in IIS
Creating Website in IIS
Follow the above steps on the other IIS server as well.
Adding the domain user in IIS_WPG group on IIS Server
Configuring the User and Computers to delegate on the Domain
Create a DNS entry
Create a SPN for the domain account
This is a Service Principal Name and it allows a client to connect/authenticate to a service. It basically identifies the service in Active Directory. If there is no SPN or it is invalid then we can't connect to service using Kerberos authentication.
Automatic registration of SPN
When a service starts it will attempt to automatically register an SPN. To do this it must be either a domain administrator or local system account.
Setspn.exe tool is part of the Windows Resource kit. You may already have this if you've installed resource kit. It will install to C:\Program Files\Resource Kit\ by default (when installed via resource kit). Use it to create, delete and list SPNs.
Windows Server 2003 Service Pack 2 32-bit Support Tools
Windows 2000 Resource Kit Tool : Setspn.exe for Windows 2000
Syntax: SetSPN –A ServiceName/<ComputerName>.<DomainName> <AccountName>
Here:SetSPN –A HTTP/testweblb.anjaneya.local anjaneya\serviceaccountSetSPN –A HTTP/testweblb anjaneya\serviceaccount
Use QuerySPN.vbs file to verify the SPN’s created.
C:\>cscript queryspn.vbs http/testweblbMicrosoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.CN=serviceaccount,CN=Users,DC=Anjaneya,DC=localClass: userUser Logon: serviceaccount-- http/testweblb-- http/testweblb.anjaneya.local
You will need to replicate the Active Directory to reflect the changes or logoff and login on the client to test the application.
Configure Internet Explorer
Browse the website, http://testweblb and walla..
Hope this helps you configure Kerberos in your network.
Stay tuned for more on Kerberos Configuration and Troubleshooting
If we were running TWO iis website on the NLB environment, and using the same IP address for both, would this have any issues with Kerberos setup? Particularly with regards to DNS.
1 DNS record is setup as an A record with a PTR
the other is set up as a CNAME with no PTR...
I don't see any issue when you have two websites in NLB environment and using the same IP.. but the two websites will be identified using hostheaders and you will need to configure SPN's for both the websites.
I suggest you use A(HOST) record entry for both the websites.
Hi as a IIS n00b, under what context or for what reason would you use this kind of setup? Can you provide an example of when this model would be approriate?
The purpose of writing this blog post was to give an example of a scenario where the customer wants to implement NLB for his websites having content on a File Server or on a NAS drive and want Kerberos authentication.
Let me know if you have further questions.