none
Query - MIM Password Portals on HA along with Certificates(SSL) RRS feed

  • Question

  • Hi,

    As part of our customer's requirement related to SSPR I have 2 queries,

    We have installed MIM Password Registration and Password Reset Portals on 2 different servers with a intend to achieve Load Balancing(customer has F5). On both these servers the hostnames are configured differently for Password Registration and Password Reset so that we would be able to create SPN's. Otherwise when we try to create SPN on 2nd server with same hostname it will throw "Duplicate SPN" error.

    (Query 1: Is there a way to configure the portals with Same Hostnames on both the servers and still be able to set SPN's. Meaning as below,

    Server 1 = Password Registration: passwordregistratation.contoso.com

    Server 2 = Password Registration: passwordregistratation.contoso.com

    Server 1 = Password Registration: passwordreset.contoso.com

    Server 2 = Password Registration: passwordreset.contoso.com

    ----------------------------------------------------------------------------------------------------------------------------------------------

    Both these portals would be internet facing hence we suggested to put it on SSL.

    (Query 2: Now the thing is should we let F5 to take care of generating CSR and deploying certificate or should it be done on IIS level on both servers. And with current deployment we might have to generate CSR with 4 different CommonNames. So will it be a problem when F5 shifts the load from one Server to another, because the end user might see a different Name under "Issued To".)

    Appreciate if someone can guide me on this. Thanks.


    Regards, Chandan



    • Edited by Chandan19 Wednesday, September 13, 2017 4:12 PM
    Wednesday, September 13, 2017 1:59 PM

Answers

  • You need to register the SPNs on the service accounts, not the actual servers. This way you'll only register the SPNs once per URL.

    It doesn't really matter whether you generate the CSR on the F5 or in IIS. If you're going to do SSL Offloading on the F5, you'll need to do a bit of extra configuration in IIS potentially. I find this added complexity is often not worth it so you might just want to leave the certificate on the IIS servers and load balance at Layer 4 (so port 443) rather than de-crypting on the F5.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Chandan19 Tuesday, September 19, 2017 5:32 PM
    Wednesday, September 13, 2017 5:44 PM
    Moderator

All replies

  • SPN is created on the Load Balancer, not the hostnames.

    You have a DNS Name, such as SSPR.Something.Com that points to the IP Address of the Laod Balancer assigned to SSPR.

    SPN is created on SSPR.Something.com


    Nosh Mernacaj, Identity Management Specialist

    Wednesday, September 13, 2017 2:51 PM
  • You need to register the SPNs on the service accounts, not the actual servers. This way you'll only register the SPNs once per URL.

    It doesn't really matter whether you generate the CSR on the F5 or in IIS. If you're going to do SSL Offloading on the F5, you'll need to do a bit of extra configuration in IIS potentially. I find this added complexity is often not worth it so you might just want to leave the certificate on the IIS servers and load balance at Layer 4 (so port 443) rather than de-crypting on the F5.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Chandan19 Tuesday, September 19, 2017 5:32 PM
    Wednesday, September 13, 2017 5:44 PM
    Moderator
  • Thanks Nosh and Brian. Appreciate you time.

    We have installed Password Registration Portal on a Server1 and later executed setspn -S HTTP/passwordregistration.contoso.com CONTOSO\SERVERNAME$ where SERVERNAME is name of Server1.

    I did check with F5 team and we decided that we will keep the same DNS name passwordregistration.contoso.com.

    (Query:  Do I need to delete the above created SPN and recreate a new one. I am kind of new to this so is it possible to give few more details as to what needs to be done and how. I mean what SPN command do I need to execute and any other steps that we need to execute.) 

    And any suggestions/Guidance for Query 2(Certificate).


    Regards, Chandan


    • Edited by Chandan19 Wednesday, September 13, 2017 6:04 PM
    Wednesday, September 13, 2017 6:01 PM
  • Hi Brian,

    When you say Service accounts do you mean the ApplicationPool accounts that we key in at the time of installation of Password Portals, correct? Or am I missing something.


    Regards, Chandan

    Wednesday, September 13, 2017 6:09 PM
  • Hi Brian,

    When you say Service accounts do you mean the ApplicationPool accounts that we key in at the time of installation of Password Portals, correct? Or am I missing something.


    Regards, Chandan


    That's correct.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Wednesday, September 13, 2017 6:35 PM
    Moderator
  • Hi Brian,

    Can you please let me know the actual steps for registering the SPN's and also are there any post spn configuration steps. Also, can you please let me know the syntax for setspn.

    I will un-register the existing spn configured on actual server names. After that can you please let me know the steps that I need to run.

    Thanks for your time.


    Regards, Chandan

    Tuesday, September 19, 2017 9:20 AM