Incorrect configuration can cause 401 authentication errors when connecting to a load balancer address via the Management Server Console.
Also diagnostics may fail with authentication errors when configured to use the load balancer as a failover server.
When you are Load Balancing Management Servers and they are configured to use Windows Authentication, several additional elements are required to ensure that Kerberos and NTLM function correctly.
The following scenario outlines what configuration changes are required by use of an example:
1) The Netscaler has been configured to balance load between a number of Management Servers over HTTP and persistence has been set to "Source IP"
2) Using Anonymous authentication, all Management Server featured are working fine via the VIP address
3) The Management Server application pools have been configured to run under a domain based service account and this service account is a member of the following groups on your IIS servers:
b) IIS_IUSRS (Server 2008)
c) IIS_WPG (Server 2003)
4) Application pool service account credentials have been registered with ASP.NET using aspnet_regiis as follows:
aspnet_regiis.exe -pa AppSenseMasterKey <DOMAIN>\<USERNAME>
Machine 1 Name: server1.domain.local
Machine 1 IP Address: 192.168.0.11
Machine 2 Name: server2.domain.local
Machine 2 IP Address: 192.168.0.12
Service Account Name: DOMAIN\#NLBServiceAccount
Load balancer Name: virtual.domain.local
Load balancer IP Address: 192.168.0.10
1) On Servers 1 and 2, open In IIS Manager and navigate to the ManagementServer website.
a) In the central pane double click on the Configuration Editor in the Management section.
b) In the top left, drop down the section and navigate to: system.webServer/security/authentication/windowsAuthentication
c) Ensure "useAppPoolCredentials" is set to "true"
2) Ensure that a DNS record is present for virtual.domain.local to 192.168.0.10
3) Ensure that the DOMAIN\#NLBServiceAccount service account is trusted for delegation to any service (kerberos only) in Active Directory
4) Ensure that the following SPNs are registered (use 'SetSPN.exe -S' to ensure no duplicates exist):
5) Modify the following registry entry as covered in MS KB article 926642 (http://support.microsoft.com/kb/926642)
a) Add the BackConnectionHostNames REG_MULTI_SZ to 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' on server1 with the following entries:
'server1.domain.local server1 virtual.domain.local virtual localhost 192.168.0.10 192.168.0.11 127.0.0.1'
b) Add the BackConnectionHostNames REG_MULTI_SZ to 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' on server2 with the following entries:
'server2.domain.local server2 virtual.domain.local virtual localhost 192.168.0.10 192.168.0.12 127.0.0.1'
6) Restart IIS on both servers after making the above modifications