Authentication delegation through Kerberos does not work in load-balanced architectures
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
When a customer tries to use Kerberos to delegate authentication in a load-balanced architecture, Kerberos does not work and Internet Information Services (IIS) drops back to Windows NT Challenge/Response authentication. Because Windows NT Challenge/Response cannot be used for delegation, any applications or services that require delegation do not work.
The problem occurs because of a limitation in the Kerberos authentication protocol. The load-balanced cluster uses a virtual host name to identify itself, and this is the host name that the Kerberos ticket is issued for. When the ticket is presented to the actual server, the client that is directed to the ticket does not match its Server Principal Name (SPN). Additionally, in a Windows 2000 domain, the virtual host name cannot be set to Trusted For Delegation in the Active Directory.
When the server rejects the Kerberos ticket, the client renegotiates and tries to use Windows NT Challenge/Response authentication. Even if the client can authenticate through this method, delegation fails because it relies on Kerberos to function.
One possible workaround requires that each computer in the load-balanced cluster be available to answer to its own fully qualified domain name (FQDN). The default page on each server must redirect the client directly to itself, thereby bypassing the virtual host name and instead providing a valid host name that a ticket can be issued for.
As a sample, the page can be something a simple as the following line:
<% response.redirect("http://my.unique.fqdn/default2.asp") %>
Assuming that my.unique.fqdn is the unique FQDN of the computer and that Default2.asp is the actual default page that the client must be directed to, Kerberos can use this simple redirection to work in a load-balanced architecture.
As a caveat, the client can see or record (that is, bookmark) the unique name of the server that the client is directed to. This may seem to lead to outages if the client bookmarks that site and tries to return when either the physical server or the unique server name is unavailable.
A white paper is now available that discusses how to set up a network load-balanced environment for Kerberos authentication. This solution may take longer to implement because it includes changes to the Web server environment. However, The solution described in the white paper may be better than the solution described in the "Workaround" section.Note
If you use the solution that is described in the white paper, do not register a HOST/SPN when you are directed to. Register an HTTP SPN.
Visit the following Microsoft Web site to view the "Kerberos authentication for load balanced web sites" white paper:
For additional information about network load balancing, visit the following Microsoft Web site:
For more information about the Kerberos authentication protocol, see the following RFC Web site:
iis 5 wlbs kerberos delegation integrated NLB
Article ID: 325608 - Last Review: 06/19/2014 14:57:00 - Revision: 5.0