Different Host Header / SPN

In this setup, the IIS website is running on both back-ends server under an application pool with either different application pool identities (Service User) or under the machine account. This requires the following configuration:

Requirements

Component

Requirement

Comments

Back-end configuration

  • Both back-end servers run the web application with a different binding (they expect a different host header).
  • A different service user or the machine account is configured in the application pool identity on both back-end servers.

Active Directory configuration

  • Variant 1) The application pool runs under a service user (both servers use their own service user). Each back-end has their own SPN. The SPNs are registered to the dedicated service user.
  • Variant 2) The application pool runs under the machine account. Each back-end has their own SPN. The SPNs are registered to the dedicated machine account.
  • The Kerberos System User is permitted to request Kerberos tickets for all these SPNs.

Airlock Gateway configuration

  • The Request Action (default) Translate Host Header is enabled and there is no Custom Translate Host Header Action configured. This means that the host header is rewritten to the back-end server name in the Back-end Group. This also requires that the hostname is configured in the Back-end Group and not the IP address.
  • Both back-end servers are configured in the same Back-end Group.