Kerberos requirements

If you are using Windows Authentication to authenticate Granta MI users, the load balancer must support the Kerberos protocol (as opposed to NTLM) to allow it to pass the users' authentication information (Kerberos tokens) to the applications.

In addition, certain features in the Granta MI Windows desktop applications (for example, Data Updater in MI Admin) require direct access to the MI Settings service, and this also requires that Kerberos is configured.

Configuring your system to allow Kerberos to work over HTTPS typically requires making changes at the Windows Domain level to set the HTTP Service Principal Names (SPNs) of the machines involved in the cluster to use the same service account and then configuring the load balancer and IIS Application Pools (on the MI application servers) to use this same service account.

More information is available on request, if needed.