Remove From My Forums

Cannot connect to NLB by Name

Question
0

Sign in to vote

Good time to everyone!

We deployed two-nodes APP-V servers farm. We use Windows Server Network Load Balancin (WS2008R2). Two nodes of App-V Servers are virtual guests. When I try to connect to App-V farm by NLB FQDN (or NetBIOS) name there is an error

Unable to log into the Application Virtualization System

Invalid user name or password

Error code: 0000C801

The IIS log has the following error:

2011-06-22 09:55:35 1.1.1.1 POST /SoftGridManagement/Authorization.rem - 80 - 1.1.1.2 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+6.1.7601.65536;+MS+.NET+Remoting;+MS+.NET+CLR+2.0.50727.5446+) 401 1 3221225581 0

3221225581 error code means User logon has incorrect user name

When I connect by another way (with a node name, IP or nlb IP) the connection is fine. How can I resolve the issue with NLB name?

Wednesday, June 22, 2011 10:23 AM

Answers

1

Sign in to vote
Remember - The SOFTGRID SPNs are only needed for Refresh/Streaming. Connectivity to the Management Service (which is an ASP.NET application0 requires HTTP/SQL delegation (double-hop.)

Refer to this doc: http://support.microsoft.com/kb/929650 - and look at Scenario 3

Steve Thomas, SSEE, Microsoft
App-V/MED-V/SCVMM/SCCM/AppCompat
http://madvirtualizer.wordpress.com/
The App-V Team blog: http://blogs.technet.com/appv/
The MED-V Team Blog: http://blogs.technet.com/medv
The SCVMM Team blog: http://blogs.technet.com/scvmm/

“This posting is provided "AS IS" with no warranties, and confers no rights. User assumes all risks.”
- Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
Friday, July 22, 2011 11:15 PM
0

Sign in to vote
Hello,

Well - as Aaron stated;

On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

Setspn -r SOFTGRID/<Server FQDN>

Setspn -r HTTP/<Server FQDN>

It seems you have not performed this
/Znack
- Proposed as answer by znack Thursday, July 7, 2011 10:34 AM
- Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
Thursday, June 30, 2011 1:28 PM

All replies

0

Sign in to vote

Have you configured delegation? http://technet.microsoft.com/en-us/library/ee675779.aspx

This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Wednesday, June 22, 2011 10:51 AM

Moderator
0

Sign in to vote

Thanks for the answer!

I forget to configure IIS for delegation. But it doesn't help. Even after reboot.

Wednesday, June 22, 2011 12:51 PM
0

Sign in to vote
I'm just brainstorming here, but this might be a Service Principal Name issue. Have you set this on both nodes of the WNLB.

For Kerberos authentication to work, Service Principal Names (SPNs) must be registered for IIS

When using IIS 6.0 or 7.0 for icon or OSD file retrieval and streaming of packages, for Kerberos authentication to be enabled, the SPNs must be registered as follows:

On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

Setspn -r SOFTGRID/<Server FQDN>

Setspn -r HTTP/<Server FQDN>
See: http://technet.microsoft.com/en-us/library/cc817171.aspx
Thursday, June 23, 2011 7:57 AM
0

Sign in to vote

SPN are registered correctly. But the cluster name doesn't work

Friday, June 24, 2011 12:53 PM
0

Sign in to vote

Client also can not connect to nlb by name. The network monitor show

Rtsp: REQUEST, GET_PARAMETER rtsp://nlbname:554/

Rtsp: RESPONSE, RTSP/1.0, Status Code = 401 - Unauthorized

Saturday, June 25, 2011 3:39 PM
0

Sign in to vote

Hello,

See this for remote consoles;

http://blogs.technet.com/b/appv/archive/2009/04/21/app-v-4-5-remote-console-configuration-guide.aspx
/Znack

Sunday, June 26, 2011 8:51 PM

I used this article many times. All worked fine except this project.

SPNs are the following:

setspn -L appv1

SoftGrid/appv1
SoftGrid/appv1.domain.local
TERMSRV/appv1
TERMSRV/appv1.domain.local
WSMAN/appv1
WSMAN/appv1.domain.local
RestrictedKrbHost/appv1
HOST/appv1
RestrictedKrbHost/appv1.domain.local
HOST/appv1.domain.local

setspn -L appv2

SoftGrid/appv2
SoftGrid/appv2.domain.local
TERMSRV/appv2
TERMSRV/appv2.domain.local
WSMAN/appv2
WSMAN/appv2.domain.local
RestrictedKrbHost/appv2
HOST/appv2
RestrictedKrbHost/appv2.domain.local
HOST/appv2.domain.local

setspn -L sql1

MSSQLSvc/sql1:1433
MSSQLSvc/sql1.domain.local:1433
MSSQLSvc/sql1.domain.local
TERMSRV/sql1
TERMSRV/sql1.domain.local
WSMAN/sql1
WSMAN/sql1.domain.local
RestrictedKrbHost/sql1
HOST/sql1
RestrictedKrbHost/sql1.domain.local
HOST/sql1.domain.local

Wednesday, June 29, 2011 8:01 AM

0

Sign in to vote
Hello,

Well - as Aaron stated;

On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

Setspn -r SOFTGRID/<Server FQDN>

Setspn -r HTTP/<Server FQDN>

It seems you have not performed this
/Znack
- Proposed as answer by znack Thursday, July 7, 2011 10:34 AM
- Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
Thursday, June 30, 2011 1:28 PM
0

Sign in to vote

Hi egoncharov,

Did you resolve with success the access problem by name?

I'm in the same situation....I can access to the NLB resources in my two AppV server nodes, only by IP, but when i attempt to access by name, something like this \\NLBFQDN\contentshare, i get this error "

"You were not connected because a duplicate name exist on the network.Go to System in Control Panel to change the computer name and try again"

Any idea?

Thanks.

Tuesday, July 12, 2011 8:02 AM
0

Sign in to vote

Hello,

I suggest you create your own thread as your problem and error description does not match the original posters
/Znack

Tuesday, July 12, 2011 10:27 AM
0

Sign in to vote

Setspn -r SOFTGRID/<Server FQDN>

Setspn -r HTTP/<Server FQDN>

have the following error

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Could not find account <Server FQDN>

Monday, July 18, 2011 1:57 PM
0

Sign in to vote

Hello,

As your issue is different - I suggest you create your own thread
/Znack

Monday, July 18, 2011 1:59 PM
0

Sign in to vote

It is not different. I still can not connect to nlb by app-v cluster name

Tuesday, July 19, 2011 12:46 PM
0

Sign in to vote

Hello,

You can probably not do that because you have not completed all the steps required todo so. You posted a problem with one of your specific steps, one which the original poster does not have.

Your error is because you have an incomplete setup - which the original poster has not claimed to have.
/Znack

Wednesday, July 20, 2011 7:27 AM
0

Sign in to vote

I try to found where I miss a step to complete setup. With your help...

Wednesday, July 20, 2011 7:37 AM
1

Sign in to vote
Remember - The SOFTGRID SPNs are only needed for Refresh/Streaming. Connectivity to the Management Service (which is an ASP.NET application0 requires HTTP/SQL delegation (double-hop.)

Refer to this doc: http://support.microsoft.com/kb/929650 - and look at Scenario 3

Steve Thomas, SSEE, Microsoft
App-V/MED-V/SCVMM/SCCM/AppCompat
http://madvirtualizer.wordpress.com/
The App-V Team blog: http://blogs.technet.com/appv/
The MED-V Team Blog: http://blogs.technet.com/medv
The SCVMM Team blog: http://blogs.technet.com/scvmm/

“This posting is provided "AS IS" with no warranties, and confers no rights. User assumes all risks.”
- Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
Friday, July 22, 2011 11:15 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Cannot connect to NLB by Name

Question

Answers

All replies

For Kerberos authentication to work, Service Principal Names (SPNs) must be registered for IIS