Solved

Can 2 webservers have the same service principal name?

Posted on 2004-08-30
3
427 Views
Last Modified: 2007-12-19
Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.

(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)

When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)

But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp, it didn’t work at first.
So, I used “setspn -a HOST/nexus.dealix.com” on the CwebNexus2 Webserver to register the nexus.dealix.com name, so delegation will work… and now it does!

My question is, can I do the same thing for the webserver Cwebnexus1 when I bring that machine online next week?

See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
 
0
Comment
Question by:dealix
  • 2
3 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11937955
If you are using IIS 6.0 you can load balance servers and use Kerberos authentication, but it does take some steps to set up correctly:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx

If you are using IIS 5.0 this is not possible:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325608

Any more questions?  ;-)

Dave Dietz
0
 

Author Comment

by:dealix
ID: 11946471
Well, we got windows 2003 on all the servers.. but we are using a F5 Big IP, not the Microsoft load balancing.....
If there is no way to do delegation for nexus.dealix.com without microsoft load balancing, I could push for that... but, is there any way to make this thing work with the F5 Big IP?

Thanks,
Dan
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 11948871
Same instructions.....

NLB is a generalized term in the article and does not specifically apply to WLBS (Windows Load Balancing Services).  The steps should work fine for any load balancing technology I am aware of.

Dave Dietz
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now