6 Replies Latest reply on May 24, 2017 6:10 AM by PratikPawar

    Access PersOps (default website) via LB VIP address

    PratikPawar Apprentice

      Hi Guys,

       

      We have upgraded our environment from v8.6 to v10.1.

       

      While upgrading personalization server, we have got prompt as in it will overwrite any application on default website. We selected yes and completed our installation.

      Upgraded schema as well, everything went fine and working fine.

       

      When I access default website with localhost or with server hostname, I am able to access PersOps. However when I try to access it via our GSLB URL it is asking for credentials even after providing right credentials it keep prompting for it and ended with error "Not Authorized, HTTP Error 401. The requested resource requires user authentication."

       

      We have configured the "PWCAPI" and "PWC" pools to use network load balancer account as per load balancer best practice guide.

      Even correct SPN's are created for load balance account because our personalization is working fine.

      There are no any security configuration done at LB end. Our communication from end machine to GSLB is HTTPS and from GSLB to servers HTTP with SSL offloading.

      As soon as I change "useAppPoolCredentials" to "true" it does not work with hostname also from another machine.

       

      I have tried doing following changes in IIS for default web site and PWCAPI,

      - changing "useKernalMode" to true or false

      - Using Anonymous authentication for all pools

      - Changing/toggling Windows Authentication providers to "NTLM" only or "Negotiate"

       

      So basically we are trying to make available PersOps to our SD team as a replacement of EMBI, however it is not accessible via LB VIP URL.

       

      Any quick help will be appreciated.

        • 1. Re: Access PersOps (default website) via LB VIP address
          duberyy_wotsit Apprentice

          We have the same issue here.  The VIP doesn't work with the same issues you are seeing and you also can no longer connect to the real server addresses because you have to remove the SPNs for those in order to upgrade to 10.1.

          • 2. Re: Access PersOps (default website) via LB VIP address
            mattw SupportEmployee

            Hi There,

             

            I'd just like to add we are looking into the load balancing of the PersOps website whilst using a NLB.  If you haven't already could you raise a support case and provide your web.config file from the PWCAPI Web Site as well as a set of IIS logs showing the failed requests.

             

            Regards,

             

            Matt

            • 3. Re: Access PersOps (default website) via LB VIP address
              PratikPawar Apprentice

              Hi Mattw,

               

              I have raised the support case and already working with engineer on logs..

              I will update here once we conclude on this.

              • 4. Re: Access PersOps (default website) via LB VIP address
                duberyy_wotsit Apprentice

                I have found that if I connect with the IP, rather than the FQDN of the VIP it does at least prompt for creds and accepts them.

                 

                What load balancer are you using?  We have Brocade.

                • 5. Re: Access PersOps (default website) via LB VIP address
                  mattw SupportEmployee

                  Though I'd check in on this issue.  In an isolated environment I set this up successfully without too much pain, however I appreciate live environments are much more complex.

                  Generally you want to use Kerberos for authentication so you will need to ensure your SPN's are set correctly.  e.g.

                  where pops.vapp.local is my NLB address.

                   

                  If this is setup correctly then Kerberos should be used as the primary authentication mechanism and I would expect it to connect successfully upon entering valid credentials to the site.  If Kerberos is failing then there is likely something wrong in this area.  I would expect the systems to fall back to NTLM, however it may be the case this is failing as well., which would result in a constant prompt being displayed.  A web debugger (such as Fiddler, for example), is great at troubleshooting these types of issues.

                   

                  If the IP address has been successful in connecting then this will have auth'd over NTLM, so you should be ok on that front.

                   

                  Out of interest do your IIS logs show a connecting user through the NLB or has it been stripped from the request?

                  • 6. Re: Access PersOps (default website) via LB VIP address
                    PratikPawar Apprentice

                    Hello guys,

                     

                    I am able to get PersOps working over LB VIP url.

                     

                    mattw SPN's are already set correctly and working fine, as we do not have any issues with personalization.

                     

                    I have updated all personalization servers, "PWCAPI" and "PWC" Application pool with network LB service account, also checked "useAppPoolCredentials" to true, as per best practice of LB guide.

                    Still it was prompting for credentials and even providing correct credentials it was failing to connect.

                     

                    Then I found RoleAdmin.exe present at "C:\Program Files\AppSense\Environment Manager\Personalization Server\Support". If you run this and connect to DB it shows access roles similar what we see in personalization console.

                    I could see all my required groups are present still it was not working, referring one of the KB article I removed all this and added again.

                     

                    And here I go it started working over LB url