Solved

Can 2 webservers have the same service principal name?

Posted on 2004-08-30
3
436 Views
Last Modified: 2007-12-19
Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.

(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)

When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)

But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp, it didn’t work at first.
So, I used “setspn -a HOST/nexus.dealix.com” on the CwebNexus2 Webserver to register the nexus.dealix.com name, so delegation will work… and now it does!

My question is, can I do the same thing for the webserver Cwebnexus1 when I bring that machine online next week?

See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
 
0
Comment
Question by:dealix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11937955
If you are using IIS 6.0 you can load balance servers and use Kerberos authentication, but it does take some steps to set up correctly:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx

If you are using IIS 5.0 this is not possible:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325608

Any more questions?  ;-)

Dave Dietz
0
 

Author Comment

by:dealix
ID: 11946471
Well, we got windows 2003 on all the servers.. but we are using a F5 Big IP, not the Microsoft load balancing.....
If there is no way to do delegation for nexus.dealix.com without microsoft load balancing, I could push for that... but, is there any way to make this thing work with the F5 Big IP?

Thanks,
Dan
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 11948871
Same instructions.....

NLB is a generalized term in the article and does not specifically apply to WLBS (Windows Load Balancing Services).  The steps should work fine for any load balancing technology I am aware of.

Dave Dietz
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question