How do I configure IWA Direct in a load balancing/failover scenario?
In a standard IWA Direct Kerberos deployment, the Kerberos service principal name (SPN) of the appliance is the appliance’s own Active Directory machine account name. However, in a load balancing configuration, multiple ProxySGs must be able to decrypt the service tickets from the clients. For this reason, all ProxySGs in a load balancing group must share the same SPN. This will not work if each appliance uses its own machine account to process Kerberos authentication requests. In this case, you must create a new Active Directory account and use it to create a SPN that can be used by all appliances in the group.
To deploy Kerberos in this configuration you must:
Rate this Page
Please take a moment to complete this form to help us better serve you.