locked
Cannot connect to NLB by Name RRS feed

  • Question

  • Good time to everyone!

    We deployed two-nodes APP-V servers farm. We use Windows Server Network Load Balancin (WS2008R2). Two nodes of App-V Servers are virtual guests. When I try to connect to App-V farm by NLB FQDN (or NetBIOS) name there is an error

    Unable to log into the Application Virtualization System

    Invalid user name or password

    Error code: 0000C801

    The IIS log has the following error:

    2011-06-22 09:55:35 1.1.1.1 POST /SoftGridManagement/Authorization.rem - 80 - 1.1.1.2 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+6.1.7601.65536;+MS+.NET+Remoting;+MS+.NET+CLR+2.0.50727.5446+) 401 1 3221225581 0

    3221225581 error code means User logon has incorrect user name

    When I connect by another way (with a node name, IP or nlb IP) the connection is fine. How can I resolve the issue with NLB name?

    Wednesday, June 22, 2011 10:23 AM

Answers

  • Remember - The SOFTGRID SPNs are only needed for Refresh/Streaming. Connectivity to the Management Service (which is an ASP.NET application0 requires HTTP/SQL delegation (double-hop.)

    Refer to this doc: http://support.microsoft.com/kb/929650 - and look at Scenario 3

     

     


    Steve Thomas, SSEE, Microsoft
    App-V/MED-V/SCVMM/SCCM/AppCompat
    http://madvirtualizer.wordpress.com/
    The App-V Team blog: http://blogs.technet.com/appv/
    The MED-V Team Blog: http://blogs.technet.com/medv
    The SCVMM Team blog: http://blogs.technet.com/scvmm/

    “This posting is provided "AS IS" with no warranties, and confers no rights. User assumes all risks.”
    Friday, July 22, 2011 11:15 PM
  • Hello,

    Well - as Aaron stated;

    On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

    Setspn -r SOFTGRID/<Server FQDN>

    Setspn -r HTTP/<Server FQDN>

    It seems you have not performed this


    /Znack
    • Proposed as answer by znack Thursday, July 7, 2011 10:34 AM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
    Thursday, June 30, 2011 1:28 PM

All replies

  • Have you configured delegation? http://technet.microsoft.com/en-us/library/ee675779.aspx

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Wednesday, June 22, 2011 10:51 AM
    Moderator
  • Thanks for the answer!

    I forget to configure IIS for delegation. But it doesn't help. Even after reboot.

    Wednesday, June 22, 2011 12:51 PM
  • I'm just brainstorming here, but this might be a Service Principal Name issue. Have you set this on both nodes of the WNLB.

     

    For Kerberos authentication to work, Service Principal Names (SPNs) must be registered for IIS

    When using IIS 6.0 or 7.0 for icon or OSD file retrieval and streaming of packages, for Kerberos authentication to be enabled, the SPNs must be registered as follows:

    • On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

      Setspn -r SOFTGRID/<Server FQDN>

      Setspn -r HTTP/<Server FQDN>
    See: http://technet.microsoft.com/en-us/library/cc817171.aspx

     

     

    Thursday, June 23, 2011 7:57 AM
  • SPN are registered correctly. But the cluster name doesn't work
    Friday, June 24, 2011 12:53 PM
  • Client also can not connect to nlb by name. The network monitor show

    Rtsp: REQUEST, GET_PARAMETER rtsp://nlbname:554/

    Rtsp: RESPONSE, RTSP/1.0, Status Code = 401 - Unauthorized

    Saturday, June 25, 2011 3:39 PM
  • I used this article many times. All worked fine except this project.

    SPNs are the following:

    setspn -L appv1
    
    SoftGrid/appv1
    SoftGrid/appv1.domain.local
    TERMSRV/appv1
    TERMSRV/appv1.domain.local
    WSMAN/appv1
    WSMAN/appv1.domain.local
    RestrictedKrbHost/appv1
    HOST/appv1
    RestrictedKrbHost/appv1.domain.local
    HOST/appv1.domain.local
    
    setspn -L appv2
    
    SoftGrid/appv2
    SoftGrid/appv2.domain.local
    TERMSRV/appv2
    TERMSRV/appv2.domain.local
    WSMAN/appv2
    WSMAN/appv2.domain.local
    RestrictedKrbHost/appv2
    HOST/appv2
    RestrictedKrbHost/appv2.domain.local
    HOST/appv2.domain.local
    
    setspn -L sql1
    
    MSSQLSvc/sql1:1433
    MSSQLSvc/sql1.domain.local:1433
    MSSQLSvc/sql1.domain.local
    TERMSRV/sql1
    TERMSRV/sql1.domain.local
    WSMAN/sql1
    WSMAN/sql1.domain.local
    RestrictedKrbHost/sql1
    HOST/sql1
    RestrictedKrbHost/sql1.domain.local
    HOST/sql1.domain.local
    
    Wednesday, June 29, 2011 8:01 AM
  • Hello,

    Well - as Aaron stated;

    On the IIS server, run the following commands by using the SETSPN.EXE Resource Kit tool. The server fully qualified domain name (FQDN) must be used.

    Setspn -r SOFTGRID/<Server FQDN>

    Setspn -r HTTP/<Server FQDN>

    It seems you have not performed this


    /Znack
    • Proposed as answer by znack Thursday, July 7, 2011 10:34 AM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:16 PM
    Thursday, June 30, 2011 1:28 PM
  • Hi egoncharov,

    Did you resolve with success the access problem by name?

    I'm in the same situation....I can access to the NLB resources in my two AppV server nodes, only by IP, but when i attempt to access by name, something like this \\NLBFQDN\contentshare, i get this error "


    "You were not connected because a duplicate name exist on the network.Go to System in Control Panel to change the computer name and try again"

    Any idea?

    Thanks.
    Tuesday, July 12, 2011 8:02 AM
  • Hello,

    I suggest you create your own thread as your problem and error description does not match the original posters
    /Znack
    Tuesday, July 12, 2011 10:27 AM
  • Setspn -r SOFTGRID/<Server FQDN>

    Setspn -r HTTP/<Server FQDN>

    have the following error

     FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
    Could not find account <Server FQDN>

    Monday, July 18, 2011 1:57 PM
  • Hello,

    As your issue is different - I suggest you create your own thread
    /Znack
    Monday, July 18, 2011 1:59 PM
  • It is not different. I still can not connect to nlb by app-v cluster name
    Tuesday, July 19, 2011 12:46 PM
  • Hello,

    You can probably not do that because you have not completed all the steps required todo so. You posted a problem with one of your specific steps, one which the original poster does not have.

    Your error is because you have an incomplete setup - which the original poster has not claimed to have.
    /Znack
    Wednesday, July 20, 2011 7:27 AM
  • I try to found where I miss a step to complete setup. With your help...
    Wednesday, July 20, 2011 7:37 AM
  • Remember - The SOFTGRID SPNs are only needed for Refresh/Streaming. Connectivity to the Management Service (which is an ASP.NET application0 requires HTTP/SQL delegation (double-hop.)

    Refer to this doc: http://support.microsoft.com/kb/929650 - and look at Scenario 3

     

     


    Steve Thomas, SSEE, Microsoft
    App-V/MED-V/SCVMM/SCCM/AppCompat
    http://madvirtualizer.wordpress.com/
    The App-V Team blog: http://blogs.technet.com/appv/
    The MED-V Team Blog: http://blogs.technet.com/medv
    The SCVMM Team blog: http://blogs.technet.com/scvmm/

    “This posting is provided "AS IS" with no warranties, and confers no rights. User assumes all risks.”
    Friday, July 22, 2011 11:15 PM