Kerberos with Unix NLB

[Guest Reeves]

Is it possible to set up a Linux NLB with Windows 2003 Architecture?

 

I have a SQL Server Reporting Services (Two Servers) with a Zeus (Software

Vendor: http://www.zeus.com/) NLB running on Linux (Suse 9) providing load

balancing.

 

I have Kerberos set up and working when I connect directly to the SQL Server

Reporting Services machines to both Analysis Services and the Relational

Engine. (Different machines) Now I am trying to add a NLB (Non-Microsoft) and

wonder if it is even possible.

Saw a blog stating that I have to set the SPNs for the Load Balancer, but

not sure how?

 

SETSPN -A http/<NetBIOS name of NLB> <Domain User Account>

SETSPN -A http/<FQDN of NLB> <Domain User Account>

 

Seeing as both NetBIOS name of NLB, and Domain User Account do not exist on

the Unix NLB.

 

Thanks

Reeves

[Guest S. Pidgorny]

Please elaborate? Are you trying to connect to resources via the

Linux-based load balancer? If so, you'll need to configure SPN for FQDN

pointing to the virtual IP - same technique for all types of load balancers:

 

http://support.microsoft.com/kb/215383

 

Troubleshooting (general):

 

http://support.microsoft.com/kb/326985

 

--

Svyatoslav Pidgorny, MCSE, RHCE

-= F1 is the key =-

 

http://sl.mvps.org http://msmvps.com/blogs/sp

 

Reeves wrote:<span style="color:blue">

> Is it possible to set up a Linux NLB with Windows 2003 Architecture?

>

> I have a SQL Server Reporting Services (Two Servers) with a Zeus (Software

> Vendor: http://www.zeus.com/) NLB running on Linux (Suse 9) providing load

> balancing.

>

> I have Kerberos set up and working when I connect directly to the SQL Server

> Reporting Services machines to both Analysis Services and the Relational

> Engine. (Different machines) Now I am trying to add a NLB (Non-Microsoft) and

> wonder if it is even possible.

> Saw a blog stating that I have to set the SPNs for the Load Balancer, but

> not sure how?

>

> SETSPN -A http/<NetBIOS name of NLB> <Domain User Account>

> SETSPN -A http/<FQDN of NLB> <Domain User Account>

>

> Seeing as both NetBIOS name of NLB, and Domain User Account do not exist on

> the Unix NLB.

>

> Thanks

> Reeves </span>

[Guest Reeves]

Svyatoslav,

 

Thanks for the response. I will try to add more details below, but first let

me add a summary.

 

Summary:

 

Need to understand how to setup Kerberos to work with a Unix based Network

Load Balancer. I have already set up Kerberos to work with a Non-NLB setup,

so I understand Kerberos in a single realm, just need help working with more

than one realm.

 

Details:

 

I'm doing this in multiple steps, starting easy and add more complexity.

 

Scenario 1: 3 Machines with configured Kerberos constrained delegation.

 

1) SQL Server Reporting Services (MachineSSRS1)

2) SQL Server Analysis Services (MachineSSAS1)

3) SQL Server Relational Engine (MachineSSDS1)

 

Client connects to MachineSSRS1 and runs reports that access data on both

MachineSSAS1 and MachineSSDS1 through Kerberos constrained delegation. (Works

great, configured accounts, created SPNs and configured constrained

delegation)

 

Scenario 2: 4 Machines and a NLB with configured Kerberos constrained

delegation.

 

1) Zeus Network Load Balancer

2) SQL Server Reporting Services (MachineSSRS1, MachineSSRS2)

3) SQL Server Analysis Services (MachineSSAS1)

4) SQL Server Relational Engine (MachineSSDS1)

 

Client connects to Network Load Balancer that then redirects to MachineSSRS1

or MachineSSRS2 that runs reports that access data on both MachineSSAS1 and

MachineSSDS1 through Kerberos constrained delegation.

 

Here is where I'm stuck with trying to create and SPN for the Network Load

Balancer, seeing as it is not a Windows based system. I have read that I

might need to create keytab entries for the UNIX host and services in the

Active Directory. (This is the step I do not understand, as I am a SQL Server

development guy on not an infrastructure guy)

 

If I can get this figured I want to move to the last scenario.

 

Scenario 3: 5 Machines and 2 NLB with configured Kerberos constrained

delegation. I could just have each SSRS server match up with and SSAS machine

and drop the extra NLB. That is a small issue but would like to see it work

as I will also have clients directly hitting the cube from Excel and

ProClarity Web Professional.

 

1) Zeus Network Load Balancer for Reporting Services

2) SQL Server Reporting Services (MachineSSRS1, MachineSSRS2)

3) Zeus Network Load Balancer for Analysis Services

4) SQL Server Analysis Services (MachineSSAS1, MachineSSAS2)

5) SQL Server Relational Engine (MachineSSDS1)

 

Thanks,

Reeves

 

 

"S. Pidgorny" wrote:

<span style="color:blue">

> Please elaborate? Are you trying to connect to resources via the

> Linux-based load balancer? If so, you'll need to configure SPN for FQDN

> pointing to the virtual IP - same technique for all types of load balancers:

>

> http://support.microsoft.com/kb/215383

>

> Troubleshooting (general):

>

> http://support.microsoft.com/kb/326985

>

> --

> Svyatoslav Pidgorny, MCSE, RHCE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> Reeves wrote:<span style="color:green">

> > Is it possible to set up a Linux NLB with Windows 2003 Architecture?

> >

> > I have a SQL Server Reporting Services (Two Servers) with a Zeus (Software

> > Vendor: http://www.zeus.com/) NLB running on Linux (Suse 9) providing load

> > balancing.

> >

> > I have Kerberos set up and working when I connect directly to the SQL Server

> > Reporting Services machines to both Analysis Services and the Relational

> > Engine. (Different machines) Now I am trying to add a NLB (Non-Microsoft) and

> > wonder if it is even possible.

> > Saw a blog stating that I have to set the SPNs for the Load Balancer, but

> > not sure how?

> >

> > SETSPN -A http/<NetBIOS name of NLB> <Domain User Account>

> > SETSPN -A http/<FQDN of NLB> <Domain User Account>

> >

> > Seeing as both NetBIOS name of NLB, and Domain User Account do not exist on

> > the Unix NLB.

> >

> > Thanks

> > Reeves </span>

> </span>