dealix
asked on
Can 2 webservers have the same service principal name?
Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.
(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)
When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)
But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp, it didn’t work at first.
So, I used “setspn -a HOST/nexus.dealix.com” on the CwebNexus2 Webserver to register the nexus.dealix.com name, so delegation will work… and now it does!
My question is, can I do the same thing for the webserver Cwebnexus1 when I bring that machine online next week?
See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.
(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)
When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)
But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp, it didn’t work at first.
So, I used “setspn -a HOST/nexus.dealix.com” on the CwebNexus2 Webserver to register the nexus.dealix.com name, so delegation will work… and now it does!
My question is, can I do the same thing for the webserver Cwebnexus1 when I bring that machine online next week?
See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
ASKER
Well, we got windows 2003 on all the servers.. but we are using a F5 Big IP, not the Microsoft load balancing.....
If there is no way to do delegation for nexus.dealix.com without microsoft load balancing, I could push for that... but, is there any way to make this thing work with the F5 Big IP?
Thanks,
Dan
If there is no way to do delegation for nexus.dealix.com without microsoft load balancing, I could push for that... but, is there any way to make this thing work with the F5 Big IP?
Thanks,
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx
If you are using IIS 5.0 this is not possible:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325608
Any more questions? ;-)
Dave Dietz