First of all i assume that your farm is running behind a NLB cluster and configured using kerberos authentication successfully.
Here is the scenario:
Sharepoint 2010 WFE1 :
->IP: 192.168.10.5 FQDN : wfeserver1.contoso.com , Windows 2008 server SP2 x64 , IIS 7.0
Sharepoint 2010 WFE2:
->IP: 192.168.10.7 FQDN : wfeserver2.contoso.com , Windows 2008 server SP2 x64 , IIS 7.0
NLB Cluster IP : 192.168.10.200 FQDN: nlb1.contoso.com
We have 2 sharepoint application running on port 80:
App1: already configured using Kerberos Auth :
Host Header : http://istanbul.contoso.com AppPool account : Contoso\bugra
App2 : is using NTLM (just now)
Host Header : http://ankara.contoso.com AppPool account Contoso\postman
In order for Kerberos authentication to work we configured:
When you run IIS in a clustered environment or in a load-balanced environment, you access applications by using the cluster name instead of by using a node name. This scenario includes network load balancing. In cluster technology, a node refers to one computer that is a member of the cluster. To use Kerberos as the authentication protocol in this scenario, the application pool identity on each IIS node must be configured to use the same domain user account. To configure each IIS node to use the same domain user account, use the following command:
Setspn –A HTTP/CLUSTER_NAME domain\username
(Note: I could able to manage kerberos authentication without defining any SPN to NLB cluster on Windows Server 2008 R2. )
According to KB : SPN for the NLB cluster name: ***
SetSPN -A HTTP/nlb1.contoso.com Contoso\bugra
SetSPN -A HTTP/nlb1 Contoso\bugra
SPN for the cluster node:
SetSPN -A HTTP/istanbul.contoso.com Contoso\bugra
SetSPN -A HTTP/istanbul Contoso\bugra
What happens if I want to configure an additional web application “ankara.contoso.com” , running under a different application pool “Contoso\postman” also running Kerberos authentication ?
What about the NLB SPNs – they have a different account. This should be a problem of a duplicate SPN for NLB .Sure it is not able to do it like this way.
1) Create another DNS A record on NLB Cluster ip:
ex: host A newnlbrecord.contoso.com 192.168.10.200
2) Create SPN for this FQDN:
SetSPN -A HTTP/newnlbrecord.contoso.com Contoso\postman
SetSPN -A HTTP/newnlbrecord Contoso\postman
And dont forget to create for your app:
SetSPN -A HTTP/ankara.contoso.com Contoso\postman
SetSPN -A HTTP/ankara Contoso\postman
end of article.