First published on TechNet on Aug 09, 2011
Hi guys, Joji Oshima here again. Today I want to talk about configuring Kerberos authentication to work in a load-balanced environment. This is a more a...
Updated Apr 22, 2025
Version 3.0
Blog Post
Savannah_Greene
Microsoft
Microsoft
if you need to run multiple applications on the same set of web servers and they each have their own application pool running separate application pool accounts then you should have individual dns names for each of your apps.
so like typically I will have customers who want to run the ca.contoso.com/certsrv (CA web enrollment webpages), then ca.contoso.com/CEP and/or CES (CEP and CES web pages), and possibly even ca.contoso.com/certsrv/mscep_admin (NDES). Each one of these web services users must authenticate with Kerberos authentication. I tell the customer to use dns names for each of the services like:
certenroll.contoso.com
cepces.contoso.com
ndes.contoso.com
this way you can have a Service Principal Name for each application / application pool account. Just remember bad things happen when you use CNAME records in DNS for things that use WinINET APIs.