Load Balancing Management Servers with Windows Authentication using Netscaler

Version 1

    Verified Product Versions

    Management Center 8.7Management Center 8.6Management Center 8.5Management Center 8.4Management Center 8.3Management Center 8.2Management Center 8.1Management Center 8.0


    Incorrect configuration can cause 401 authentication errors when connecting to a load balancer address via the Management Server Console.

    Also diagnostics may fail with authentication errors when configured to use the load balancer as a failover server.


    When you are Load Balancing Management Servers and they are configured to use Windows Authentication, several additional elements are required to ensure that Kerberos and NTLM function correctly.

    The following scenario outlines what configuration changes are required by use of an example:


    1) The Netscaler has been configured to balance load between a number of Management Servers over HTTP and persistence has been set to "Source IP"

    2) Using Anonymous authentication, all Management Server featured are working fine via the VIP address

    3) The Management Server application pools have been configured to run under a domain based service account and this service account is a member of the following groups on your IIS servers:

       a) Adminstrators
       b) IIS_IUSRS (Server 2008)
       c) IIS_WPG (Server 2003)

    4) Application pool service account credentials have been registered with ASP.NET using aspnet_regiis as follows:

    aspnet_regiis.exe -pa AppSenseMasterKey <DOMAIN>\<USERNAME>

    Example Environment:

    Machine 1 Name: server1.domain.local
    Machine 1 IP Address:
    Machine 2 Name: server2.domain.local
    Machine 2 IP Address:
    Service Account Name: DOMAIN\#NLBServiceAccount
    Load balancer Name: virtual.domain.local
    Load balancer IP Address:

    Modifications Required:

    1) On Servers 1 and 2, open In IIS Manager and navigate to the ManagementServer website.

       a) In the central pane double click on the Configuration Editor in the Management section.
       b) In the top left, drop down the section and navigate to: system.webServer/security/authentication/windowsAuthentication
       c) Ensure "useAppPoolCredentials" is set to "true"

    2) Ensure that a DNS record is present for virtual.domain.local to

    3) Ensure that the DOMAIN\#NLBServiceAccount service account is trusted for delegation to any service (kerberos only) in Active Directory

    4) Ensure that the following SPNs are registered (use 'SetSPN.exe -S' to ensure no duplicates exist):
    http/virtual.domain.local DOMAIN\#NLBServiceAccount
    http/virtual DOMAIN\#NLBServiceAccount

    5) Modify the following registry entry as covered in MS KB article 926642 (http://support.microsoft.com/kb/926642)

       a) Add the BackConnectionHostNames REG_MULTI_SZ to 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' on server1 with the following entries:
    'server1.domain.local server1 virtual.domain.local virtual localhost'

       b) Add the BackConnectionHostNames REG_MULTI_SZ to 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' on server2 with the following entries:
    'server2.domain.local server2 virtual.domain.local virtual localhost'

    6) Restart IIS on both servers after making the above modifications