How do I configure IWA Direct in a load balancing/failover scenario?

Solutions ID:    KB4808
Version:    1.0
Status:    Published
Published date:    12/12/2011

Problem Description

In a standard IWA Direct Kerberos deployment, the Kerberos service principal name (SPN) of the appliance is the appliance’s own Active Directory machine account name. However, in a load balancing configuration, multiple ProxySGs must be able to decrypt the service tickets from the clients. For this reason, all ProxySGs in a load balancing group must share the same SPN. This will not work if each appliance uses its own machine account to process Kerberos authentication requests. In this case, you must create a new Active Directory account and use it to create a SPN that can be used by all appliances in the group.


To deploy Kerberos in this configuration you must:
  1. Set up a load balancing device in front of your appliances and designate a virtual IP address to use for all explicit proxy request. The load balancing device will then forward the requests to the ProxySGs in the group based on the load balancing rules you have defined.
  2. Create a DNS entry for the device that resolves to this IP address. Note that the DNS name that you use must not map to an existing machine account name in Active Directory or the ProxySG appliance will not be able to authenticate Kerberos service tickets and authentication will fail.
  3. Create an Active Directory account for the Kerberos load balancing user. This account does not need any special privileges. You will create the SPN using this account and the ProxySG appliances will use the account credentials to decrypt the service tickets from clients.
  4. Use the Active Directory account you just created to create an SPN for the for the load balancing group as follows:
    1. Open a command prompt as administrator on the Domain Controller.
    2. Enter the following command:

      setspn –A HTTP/<Load_Balancer_FQDN> <AD_Account_Name>

      where <Load_Balancer_FQDN> is the fully qualified domain name (FQDN) of the load balancing device and <AD_Account_Name> is the name of the Active Directory user you created for the load balancing group. Note that this command is case-sensitive.

      For example, if the FQDN of the load balancing device is and the Active Directory account name you created is KerberosLBUser, you would enter the following command:

      setspn –A HTTP/ KerberosLBUser

      Do not assign the same SPN to multiple Active Directory accounts or the browser will fall back to NTLM without providing any warning or explanation. To list all SPNs that are currently registered on an account, use the setspn -L <AD Account Name> command. If you find a duplicate, remove the extraneous SPN using the setspn -D <SPN> command.
  5. On each ProxySG, create an IWA Direct realm (see KB4799 for details). When configuring the realm on each appliance, you must provide the credentials for the AD Kerberos load balancing user you created. On the IWA Servers tab click Set credentials, enter the AD account User name and Password, and then click OK.  

  6. Configure the client browser explicit proxy settings to point to the FQDN of the load balancing device. 

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question