Introduction (Kerberos authentication for load balanced web sites)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Problem Statement

Kerberos is an authentication mechanism used to verify user or host identity. This document explains how to configure Kerberos to allow applications to take advantage of its authentication capabilities while also being load balanced with NLB.

Note

The procedures described in this document apply only to products in the Windows Server 2003 family. Using Kerberos in an application load balanced with NLB is not supported in Windows 2000.

Outline of Solution

Follow the steps in this white paper to register the cluster name service principal name (SPN) on a domain user account and configure IIS 6.0 to run in Worker Process Isolation Mode under the identity of that user account.

Prerequisite Steps

Complete these steps before implementing the Kerberos Authentication solution.

  1. Join the Windows Server 2003 computers that would participate in the network load balancing (NLB) cluster to a Windows domain (not a workgroup).

  2. Set up the NLB cluster.

  3. Assign a name for the cluster (this is the cluster name) and map it to the NLB cluster IP address on DNS/WINS. This name does not have to be the Full Internet Name entered on the Cluster Parameters tab in the Network Load Balancing Properties dialog box.