Special considerations for Windows Authentication

If you are using Windows Authentication, the Kerberos protocol (as opposed to NTLM) must be used if the load balancer is responsible for authenticating users before forwarding the request on to the application servers in the cluster.

Configuring your system to allow Kerberos to work over HTTPS typically requires making changes at the Windows Domain level to set the HTTP Service Principal Names (SPNs) of the machines involved in the cluster to use the same service account and then configuring the Load balancer and IIS Application Pools (on the MI application servers) to use this same service account.

More information is available on request, if needed.