Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Hi-
We are load balancing SQL Reporting Services with the F5 BigIP v10.1. When MS clients connect directly to any one of the backend servers all is working fine. When we go through the F5 VIP to the load balanced farm we are getting asked for the Windows credentials for logging in. What do we need to do on the F5 system in order to get this working?
Thanks
-Steve

5 Answer(s):

Are you using NTLM authentication? Have you tried using an NTLM profile on the virtual server?

SOL10477: Optimizing NTLM traffic in BIG-IP version 10.x
http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html

Aaron
Hi-
No, I beleive it is Windows Integrated Authentication using Kerberos. We have 2 SQL report server nodes in a load balanced pool and are using SNAT Automap on the VIP. Still not able to get the credentials to pass through the F5.
Thanks.
-Steve
Sorry for the late reply, just noticed this.

When you call the servers directly, I'm assuming you use the hostname of the servers to access the SRS site on each specific node. Do you have a hostname that you use to call the SRS site via the F5 VIP? If so: 1) do the web servers know they should respond to that hostname via a host-header mapping in IIS, and 2) have you configured your Kerberos SPNs correctly within AD?
Thanks Joel. Yes we are using the hostname of the servers to access the SRS site on each specific node and that works when a clientgoes directly to the server. Yes we have an F5 VIP that clients can use to call the SRS site, but that does not work. We did not do a setspn for the F5 VIP. Do we need to? Also the webservers are not running IIS. The SRS servers are running SRS server 2008 and we are using the embedded webserver (I think it is the default webserver). The reports on the server can only be accesses vi windows integrated authentication (Kerberos). I suppose the next step is to try to do a setspn for the F5 VIP. What do you think? Thanks.
-Steve
I would try that, yes. There has to be an SPN in Active Directory for your sitename and the user account the process runs under for the HTTP protocol for Windows Integrated Auth to do Kerberos successfully. There's a bit more information hrere:

http://msdn.microsoft.com/en-us/library/cc281253.aspx

Specifically, check the section on "Resolving Kerberos Authentication Errors" near the bottom. You'll end up running:

setspn.exe -a http/f5srs.hostname.com domain\account-srs-runs-under

Do not specify "port" in the setspn command; IE 8 hates that lots.

Your answer:

You must be logged in to reply. You can login here.