Windows Authentication in cluster mode with UAS
If you want to use windows authentication with UAS in an intranet network with a Network Load Balancer, you need some prerequisites:
1. Create an account service as follows:
a. This account must belong to IIS_WPG group.
b. Define the delegation level on "Trust the user for delegation to any service (Kerberos Only)".
c. Add this account service to IIS_USRS group on all the nodes of your cluster.
2. In the appHost.config file (c:\windows\system32\inetsrv\config), deactivate the kernel mode.
3. Activate the account service use: useAppPoolCredentials="true".
4. Add read rights with account service on:
- c:\inetpub\wwwroot
- c:\inetpub\wwwroot\uas
- c:\inetpub\wwwroot\hopex
- c:\inetpub\wwwroot\windowsAuthenticationService
5. Add full control with account service on:
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
- C:\Windows\Microsoft.NET\Framework32\v4.0.30319\Temporary ASP.NET Files
6. At DNS level:
a. Define a host name for the Network Load Balancer(NLB).
b. Define an alias host name by machine in the same Network Load Balancer domain.
c. In your port rules, put single affinity.
7. Configure the Service Principal Name (SPN):
a. Set SPN on the NLB by FQDN and Short Name with your account service
b. Set SPN on each node of your cluster by FQDN and Short name with your account service
Example:
setspn -S HTTP/NLBName.domain.com domain\webapplicationaccount (NLB)
setspn -S HTTP/NLBName domain\webapplicationaccount
setspn -S HTTP/ServerName1.domain.com domain\webapplicationaccount
setspn -S HTTP/ServerName1 domain\webapplicationaccount
setspn -S HTTP/ServerName2.domain.com domain\webapplicationaccount
setspn -S HTTP/ServerName2 domain\webapplicationaccount