Kerberos, NLB, Windows 2000 AD, Windows 2003 Server

I am trying to setup Kerberos to work on an NLB Cluster which consists of two
Windows 2003 servers. Our Active Directory is functioning on a Windows 2000
level. I have read that this is possible but all of the instructions that I
have been able to find start with set an item in 2003 AD. I can run web
applications using ASP.NET against the individual Host Servers but not the
NLB Cluster (Virtual Server).

I have read numerous articles and tried a redirect workarounds as well as
followed instructions given on numerous pages -- nothing seems to provide a
complete solution.

Is it possible to use Kerberos on NLB Cluster (two Windows 2003 Servers) in
Windows 2000 AD?

Any and All help is appreciated.

Thanks
Chris

Re: Kerberos, NLB, Windows 2000 AD, Windows 2003 Server

Hi,

Yes you can do this. But you need to run the web application pool under a
Domain User account, and you need register an SPN for the virtual host name
under the same Domain User account.

Cheers
Ken

"Chris" wrote in message
news:42B026A6-A630-41D5-ADD6-8D12F2EF5136@microsoft.com...
>I am trying to setup Kerberos to work on an NLB Cluster which consists of
>two
> Windows 2003 servers. Our Active Directory is functioning on a Windows
> 2000
> level. I have read that this is possible but all of the instructions that
> I
> have been able to find start with set an item in 2003 AD. I can run web
> applications using ASP.NET against the individual Host Servers but not the
> NLB Cluster (Virtual Server).
>
> I have read numerous articles and tried a redirect workarounds as well as
> followed instructions given on numerous pages -- nothing seems to provide
> a
> complete solution.
>
> Is it possible to use Kerberos on NLB Cluster (two Windows 2003 Servers)
> in
> Windows 2000 AD?
>
> Any and All help is appreciated.
>
> Thanks
> Chris
>

Re: Kerberos, NLB, Windows 2000 AD, Windows 2003 Server

Thanks!! I will give this another try. I must be doing something
incorrectly as I have tried setting up a domain account and using that
account for the application pool. I think its setting the SPN that I am
finding difficult. It does not seem to be recognizing the Virtual Host Name
or something. I think I need to run setspn on a 2003 DC instead of a 2000
DC. I read that the host servers that are part of the NLB should not be
Domain Controllers. I am not certain that we have another Windows 2003
Server that is a DC.


"Ken Schaefer" wrote:

> Hi,
>
> Yes you can do this. But you need to run the web application pool under a
> Domain User account, and you need register an SPN for the virtual host name
> under the same Domain User account.
>
> Cheers
> Ken
>
> "Chris" wrote in message
> news:42B026A6-A630-41D5-ADD6-8D12F2EF5136@microsoft.com...
> >I am trying to setup Kerberos to work on an NLB Cluster which consists of
> >two
> > Windows 2003 servers. Our Active Directory is functioning on a Windows
> > 2000
> > level. I have read that this is possible but all of the instructions that
> > I
> > have been able to find start with set an item in 2003 AD. I can run web
> > applications using ASP.NET against the individual Host Servers but not the
> > NLB Cluster (Virtual Server).
> >
> > I have read numerous articles and tried a redirect workarounds as well as
> > followed instructions given on numerous pages -- nothing seems to provide
> > a
> > complete solution.
> >
> > Is it possible to use Kerberos on NLB Cluster (two Windows 2003 Servers)
> > in
> > Windows 2000 AD?
> >
> > Any and All help is appreciated.
> >
> > Thanks
> > Chris
> >
>
>

Re: Kerberos, NLB, Windows 2000 AD, Windows 2003 Server

It should make no difference where you run SetSPN

If you haven't read these already, they may be helpful in understanding how
this all works:

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"Chris" wrote in message
news:8984972C-4992-4D00-ABD9-868CBEA7329E@microsoft.com...
> Thanks!! I will give this another try. I must be doing something
> incorrectly as I have tried setting up a domain account and using that
> account for the application pool. I think its setting the SPN that I am
> finding difficult. It does not seem to be recognizing the Virtual Host
> Name
> or something. I think I need to run setspn on a 2003 DC instead of a 2000
> DC. I read that the host servers that are part of the NLB should not be
> Domain Controllers. I am not certain that we have another Windows 2003
> Server that is a DC.
>
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> Yes you can do this. But you need to run the web application pool under a
>> Domain User account, and you need register an SPN for the virtual host
>> name
>> under the same Domain User account.
>>
>> Cheers
>> Ken
>>
>> "Chris" wrote in message
>> news:42B026A6-A630-41D5-ADD6-8D12F2EF5136@microsoft.com...
>> >I am trying to setup Kerberos to work on an NLB Cluster which consists
>> >of
>> >two
>> > Windows 2003 servers. Our Active Directory is functioning on a Windows
>> > 2000
>> > level. I have read that this is possible but all of the instructions
>> > that
>> > I
>> > have been able to find start with set an item in 2003 AD. I can run
>> > web
>> > applications using ASP.NET against the individual Host Servers but not
>> > the
>> > NLB Cluster (Virtual Server).
>> >
>> > I have read numerous articles and tried a redirect workarounds as well
>> > as
>> > followed instructions given on numerous pages -- nothing seems to
>> > provide
>> > a
>> > complete solution.
>> >
>> > Is it possible to use Kerberos on NLB Cluster (two Windows 2003
>> > Servers)
>> > in
>> > Windows 2000 AD?
>> >
>> > Any and All help is appreciated.
>> >
>> > Thanks
>> > Chris
>> >
>>
>>

Re: Kerberos, NLB, Windows 2000 AD, Windows 2003 Server

Thanks - I finally got it working a few days ago. The links that you gave
were helpful as well as the GUI for adding SPNs (ADSIEdit).

"Ken Schaefer" wrote:

> It should make no difference where you run SetSPN
>
> If you haven't read these already, they may be helpful in understanding how
> this all works:
>
> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx
>
> IIS and Kerberos Part 2 - What are Service Principal Names?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx
>
> IIS and Kerberos. Part 3 - A simple scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx
>
> IIS and Kerberos Part 4 - A simple delegation scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "Chris" wrote in message
> news:8984972C-4992-4D00-ABD9-868CBEA7329E@microsoft.com...
> > Thanks!! I will give this another try. I must be doing something
> > incorrectly as I have tried setting up a domain account and using that
> > account for the application pool. I think its setting the SPN that I am
> > finding difficult. It does not seem to be recognizing the Virtual Host
> > Name
> > or something. I think I need to run setspn on a 2003 DC instead of a 2000
> > DC. I read that the host servers that are part of the NLB should not be
> > Domain Controllers. I am not certain that we have another Windows 2003
> > Server that is a DC.
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi,
> >>
> >> Yes you can do this. But you need to run the web application pool under a
> >> Domain User account, and you need register an SPN for the virtual host
> >> name
> >> under the same Domain User account.
> >>
> >> Cheers
> >> Ken
> >>
> >> "Chris" wrote in message
> >> news:42B026A6-A630-41D5-ADD6-8D12F2EF5136@microsoft.com...
> >> >I am trying to setup Kerberos to work on an NLB Cluster which consists
> >> >of
> >> >two
> >> > Windows 2003 servers. Our Active Directory is functioning on a Windows
> >> > 2000
> >> > level. I have read that this is possible but all of the instructions
> >> > that
> >> > I
> >> > have been able to find start with set an item in 2003 AD. I can run
> >> > web
> >> > applications using ASP.NET against the individual Host Servers but not
> >> > the
> >> > NLB Cluster (Virtual Server).
> >> >
> >> > I have read numerous articles and tried a redirect workarounds as well
> >> > as
> >> > followed instructions given on numerous pages -- nothing seems to
> >> > provide
> >> > a
> >> > complete solution.
> >> >
> >> > Is it possible to use Kerberos on NLB Cluster (two Windows 2003
> >> > Servers)
> >> > in
> >> > Windows 2000 AD?
> >> >
> >> > Any and All help is appreciated.
> >> >
> >> > Thanks
> >> > Chris
> >> >
> >>
> >>
>
>