More fun today with Kerberos and load balancers. Today’s challenge related to getting the Microsoft App-V publishing server to work with an F5 load balancer in a Layer 4/n-Path/DSR configuration. Everything was working when I was accessing the individual server nodes, but when I switched to using the load balanced name and address, authentication started to fail.
After lots of log searching I eventually tried a wire trace, and found the following Kerberos error in the response from the App-V server to the App-V client:
Lots of different resources helped here:
- This TechNet page explains various Kerberos errors and why they might occur:
Of note is the scenario where the account handling the authentication request does not hold the SPN for which the request was made. I set the SPN for my IIS application pool identity, but further analysis of the error packet shows that it was handled by my App-V server machine account, not the service account. Augh! Why?
- This thread on TechNet Social was the biggest help:
The user posted all of the steps they followed in configuring IIS and the service account SPN, including the tidbit:
changed the authentication of the “Management Service” web site to useAppPoolCredentials=”true”
I have never used this particular setting, so I dug into it…
- The following MSDN article explains the IIS 7.0 feature of “kernel authentication”, how it affects the need for SPN entries, and its interplay with application pool identity accounts:
Basically, with kernel-mode authentication, the SYSTEM account will handle all Kerberos authentication by default. This explains why we were seeing Kerberos errors in the communications with the App-V client… the IIS pool identity account was not handling Kerberos delegation!
Of special interest is this statement:
Disable Kernel mode authentication and follow the general steps for Kerberos as in the previous IIS 6.0 version.
[Recommended for Performance reasons]
Let Kernel mode authentication be enabled and the Application pool’s identity be used for Kerberos ticket decryption. The only thing you need to do here is:
1. Run the Application pool under a common custom domain account.
2. Add this attribute “useAppPoolCredentials” in the ApplicationHost.config file.
- This TechNet page documents how to configure Kerberos auth in IIS, and mentions the use of the IIS appcmd.exe to set the “useAppPoolCredentials” option:
Included is the exact command line required to set the value to true:
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true
(But the page does not really tell you what it is for, which is where the MSDN article comes in handy.)
So, Kerberos under IIS 7 and later has some nuances not present in IIS 6. I wonder how I did not encounter this before?