How to Configure an SPN for NLB Management Point Site Systems
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
When management point site systems are configured in network load balancing (NLB) clusters in mixed mode sites, running the Internet Information Services (IIS) Web site application pool for the site system Web site using the local system account of the site system computer does not allow clients to authenticate the site system using Kerberos authentication. When site systems are configured in an NLB cluster, a domain user account must be configured to run the relevant IIS Web site application pools for the site systems.
Configuring a Service Principal Name (SPN) for management point site systems configured in network load balancing clusters is not required for sites operating in native mode.
To use Kerberos as the authentication protocol, the application pool identity on the IIS application pool for the site system must be configured to use a domain user account and an SPN registered in Active Directory Domain Services for the account. The SetSPN utility can be used to register an SPN for the domain user account configured to run the IIS application pool for NLB site systems. The SetSPN utility must be run on a computer that resides in the site server's domain and it must be run using Domain Administrator credentials. To properly configure an SPN for site systems configured for network load balancing using the SetSPN utility, follow the steps in these procedures.
To use the SetSPN utility, or to open an ADSIEdit MMC console on the Microsoft Windows 2000 Server operating system and the Windows Server 2003 operating system, you must first install the Windows Server support tools. These tools are included in the support tools folder on both Windows 2000 Server and Windows Server 2003 CDs. To install the Windows Server support tools, navigate to \SUPPORT\TOOLS\ on the server's installation CD and run suptools.msi.
To manually create a domain user Service Principle Name (SPN) for the IIS application pool service account
Click Start, click Run and then enter cmd in the Run dialog box.
From the command line, navigate to Windows Server support tools installation directory. By default, these tools are located in the C:\Program Files\Support Tools directory.
Enter a valid command to create the SPN. The command should be in the form of: Setspn –A HTTP/<NLB cluster name> <domain\username>
Verify that the command completed successfully by reviewing the command’s output for the updated object line.
To verify that the SPN is registered correctly using the ADSIEdit MMC console
Create or select a domain user account that will be used as the IIS service account.
Click Start, click Run, and enter adsiedit.msc to launch the ADSIEdit MMC console.
If necessary, connect to the site server's domain.
In the console pane, expand the site server's domain, expand DC=<server distinguished name>, expand CN=Users, and right-click CN=<Service Account User>. On the context menu, click Properties.
In the CN=<Service Account User> Properties dialog box, review the servicePrincipalName value to ensure that a valid SPN has been created and associated with the correct NLB cluster name.
To configure Kerberos authentication for management points configured in a load balancing cluster
Add the domain user account that will be configured as the IIS application pool service account for the site system to the local administrator group on each site system configured as part of the NLB cluster.
Add the domain user account that will be configured as the IIS application pool service account for the site system to the local IIS_WPG group on each site system configured as part of the NLB cluster.
Open Internet Information Services from the Administrative Tools Start menu programs group.
Expand Application Pools in IIS Manager.
Right click CCM Windows Auth Server Framework Pool and click Properties.
Click the Identity tab.
In the Application pool identity option group, ensure that Configurable is selected and click Browse to select the domain user account created to act as the IIS service account. Enter the password for the account in the Password textbox.
Click OK. Re-enter the IIS service account password in the Confirm Password dialog and click OK.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.