I have seen a bunch of articles and blog posts about how to register an SPN to get Kerberos to work for IIS web sites and WCF services (hosted in IIS or self-hosted). I have noticed that many of them are inacurate when describing the service classes and mixes up HOST and HTTP.

Here’s my take on the difference and which one to use when Kerberos is used together with load balancing (NLB, Citrix NetScaler, F5 BigIP etc):

Load balancing IIS where IE is the client

• HOST service class is registered for the machine account (i.e. “Network Service”)
• HTTP service class is an alias for the HOST service class (i.e. it’s also registered to the machine account)
• Browsers such as IE use the HTTP service class for Windows authentication (SPNEGO to get Kerberos or NTLM). Note that it uses HTTP service class for both the HTTP and HTTPS protocols.
• When load balancing the web servers, the browser will go to the VIP of the load balancer and the load balancer will forward the request to one IIS server where the application pool runs under a domain account (not the machine account so we can have the same account on all IIS nodes). Therefore we must register the HTTP service class to the account (not the HOST service class as mentioned in some articles).

Load balancing WCF services (hosted in IIS or “self-hosted”) on an application server and using WCF on the client side
WCF’s app.config file on the client side contains the expected identity of the server (i.e. servicePrincipalName=”HOST/VIP-FQDN”, servicePrincipalName=”HTTP/VIP-FQDN” or even servicePrincipalName=”DonaldDuck/VIP-FQDN”). Whatever the client specifies as the expected SPN, must be registered on the domain (using the SetSpn tool) for the account that runs the service (application pool identity when hosted in IIS and service account when hosted in a Windows Service).

Thursday, February 18, 2010 7:55:59 PM (GMT Standard Time, UTC+00:00)      Comments [0]  Kerberos