none
FIM: Load balancing (NLB) Portal servers and DNS requirements.

    Question

  •  

    Part of my FIM installation requirements is that the FIM portal will be installed on 2 servers and load balenced. 

    I'm trying to find out if there is an issue using a CNAME instead of an "A" Record when creating a friendly URL name for FIM? Our consultant has stated that we need to have one friendly name like "myidentity" and one that belongs to the host (SPN requirement?).

    I question the suggestion that we create two "A" records for a single IP address, as long as there aren't  two PTRs associated with friendly name.

    My DNS team states that they can't do this. Any advice would be appreciated?

    Saturday, December 18, 2010 9:46 PM

Answers

  • Are you planning to use Windows NLB? or a hardware LB?
    Is the DNS Windows based? Like on a DC + AD Integrated?

    Kerberos authentication works better with A records in my opinion. The problem with CNAME records is that they resolve in an other way. And this makes most Kerberos clients request a ticket not the orginial record, but the one that's defined in the CNAME.

    Like: myidentity -> servername -> Kerberos asks for "HTTP\servername" ticket
    Like: myidentity -> 192.168.1.1 -> Kerberos asks for "HTTP\myidentity" ticket

    So with a CNAME you have to understand very well on which accounts to register your SPNs.

    I myself don't see how creating an additional A record involves issues with a PTR record. Or this is registered by the client/server, or you leave the checkbox off when you create an A record yourself.

    If you are using Windows NLB, it might be eassier to disable DNS registration all toghether on the NLBd network interface.

    Either way, there are several answers to your question...


    http://setspn.blogspot.com
    Sunday, December 19, 2010 9:09 AM