none
Configuring Load Balancer for FIM portals RRS feed

  • Question

  • Hello!

    In our scenario, we have load balancer for FIM SSPR portals and FIM Service. We need to configure the load balancer for stickiness/persistency. I was wondering:

    1. Hhow exactly the session is maintained between:
      - the client (IE) and the FIM SSPR Portal
      - the SSPR Portal and the FIM Service?
    2. What kind of affiliation we need to configure for those two load balanced URLs.

    Any suggestion will be highly appreciated.

    Thanks!
    John

    Tuesday, August 21, 2012 8:34 PM

Answers

  • I haven't seen the details of this documented, so some time with a sniffer might help answer those questions.

    BUT....

    One thing that you will need to do that's different than the instructions (which only works for a single server) is not to use the machine account in your SPN. If you try to register multiple SPNs for the same service with each machine account to your load balanced URL, you'll get duplicates. In this case you'll need to

    • Use the Application Pool identity in the SPN (i.e. Setspn -S HTTP/sspr.corp.local corp\svc_account )
    • Set 'UseAppPoolCredentials' in the windows authentication settings for the registration site. Reset site uses anonymous, so no need to make the same change there.

    Frank C. Drewes III - Architect - Oxford Computer Group

    Wednesday, August 22, 2012 4:03 AM

All replies

  • I haven't seen the details of this documented, so some time with a sniffer might help answer those questions.

    BUT....

    One thing that you will need to do that's different than the instructions (which only works for a single server) is not to use the machine account in your SPN. If you try to register multiple SPNs for the same service with each machine account to your load balanced URL, you'll get duplicates. In this case you'll need to

    • Use the Application Pool identity in the SPN (i.e. Setspn -S HTTP/sspr.corp.local corp\svc_account )
    • Set 'UseAppPoolCredentials' in the windows authentication settings for the registration site. Reset site uses anonymous, so no need to make the same change there.

    Frank C. Drewes III - Architect - Oxford Computer Group

    Wednesday, August 22, 2012 4:03 AM
  • In addition to the using an Alias to represent the portal, I would recommend using an Alias for the FIM Service instance the portal will be connecting to.  This means that workflows spawned by a single service are not orphaned if that server goes.  By specifying the alias, you avoid this issue and multiple FIMService notes are eligible to process requests submitted through that FIMService instance name.

    ----- http://jeftek.com

    Wednesday, August 22, 2012 4:16 AM