Same Host Header / SPN

In this setup, the IIS website is running on both back-end servers under an application pool with the same application pool identity (Service User). This requires the following configuration:

Requirements

Component

Requirement

Comments

Back-end configuration

  • Both back-end servers run the web application with the same binding (they expect the same host header).
  • The same service user is configured in the application pool identity on both back-end servers.

Active Directory configuration

  • The SPN is registered to the application pool identity
  • The Kerberos System User is permitted to request Kerberos tickets for this SPN.

Airlock Gateway configuration

  • The Request Action (default) Translate Host Header is disabled. Possibly a Custom Translate Host Header Action is configured with a static value.
  • Both back-end servers are configured in the same Back-end Group.