When the server rejects the Kerberos ticket, the client renegotiates and tries to use Windows NT Challenge/Response authentication. Even if the client can authenticate through this method, delegation fails because it relies on Kerberos to function.
As a sample, the page can be something a simple as the following line:
<% response.redirect("http://my.unique.fqdn/default2.asp") %>
As a caveat, the client can see or record (that is, bookmark) the unique name of the server that the client is directed to. This may seem to lead to outages if the client bookmarks that site and tries to return when either the physical server or the unique server name is unavailable.
Note If you use the solution that is described in the white paper, do not register a HOST/SPN when you are directed to. Register an HTTP SPN.
Visit the following Microsoft Web site to view the "Kerberos authentication for load balanced web sites" white paper:
For additional information about network load balancing, visit the following Microsoft Web site:
For more information about the Kerberos authentication protocol, see the following RFC Web site:
Article ID: 325608 - Last Review: Jun 19, 2014 - Revision: 1