SharePoint Pages are not loaded correctly behind Load Balancer.

Assume following scenario ;
You have a custom 3rd party load balancer and you would like to publish only a Subsite of a site collection in SharePoint 2010 through NLB. This scenario is one of specific one , and usually is not supported all load balancers.
Some of 3rd party load balancer can be configure with rules for extra redirections.

In Our Scenario we have
One 3rd party network load balancer (NLB) which is also supporting SSL termination.
And we have a SharePoint farm which is publishing following site
http://blog.bugrapostaci.com -> is our root site collection and we don’t want to redirect through load balancer,
There should be many reasons you don’t want to publish root site directly; security concern, or already referencing another site etc.
http://blog.bugrapostaci.com/Information -> this is our subsite that we want to request through NLB . We are assuming that this site is not contains any customization and pure Sharepoin Team site template.
(Because some customized sites can be requesting extra Web Services or URLs to configure)

First you need to configure your load balancer with SSL termination and installing correct certificate which is out of scope for this article then on SharePoint you need to configure Alternate Access Mapping correctly supporting HTTPS termination.

A sample of correct configuration like this;

Internal URL                                    Zone      Public URL
https://blog.bugrapostaci.com  internet https://blog.bugrapostaci.com
http://blog.bugrapostaci.com     internet https://blog.bugrapostaci.com

Than you need to add rules for NLB for redirecting requests to correct server by HTTPS protocol and any URL contains subsite string of “Information” (our subsite part) . For configuration and how to adding rules to NLB you may need to contact with NLB vendor or check for the usage Manuel.

But this rules are not enough; if you check the site you can detect that page is not working correctly. Why ? Because when you make a request a page it has need to make extra sub requests
You can detect which requests are done at background using Fiddler2 or using F12 Developer tool for IE or Firebug extension of Firefox browser.

Here you can see a sample request when I browse the page of http://blog.bugrapostaci.com/Information site

requests

In you can see details; there are 43 requests more.


/Information/SitePages/Home.aspx        38,838  private, max-
/ScriptResource.axd?d=3deuDBoJpstM_vnvogSCBV0kbvg4UPvUtpa
/ScriptResource.axd?d=A9qblnwldHbcO4ZGhCK8Ss2nKdc2cWEIJ75
/WebResource.axd?d=Q1l5fspXysTdsR10hp_rImYHRKCODxQ3Hk5D7d
/_layouts/1033/init.js?rev=lEi61hsCxcBAfvfQNZA%2FsQ%3D%3D
/_layouts/1033/styles/Themable/corev4.css?rev=3TRomkG1g2g
/_layouts/1033/styles/Themable/search.css?rev=T%2Bhraxktc
/_layouts/1033/styles/Themable/wiki.css?rev=9pXM9jgtUVYAH
/_layouts/blank.js?rev=QGOYAJlouiWgFRlhHVlMKA%3D%3D
/_layouts/images/bgximg.png
/_layouts/images/blank.gif

And some of the is directly coming from root site. That’s mean just adding a rule for redirecting only subsite string of “Information” is not enough.Here is a sample list for possible requests coming form when you make a request to Subsite. You should add necessary rules for this requests.

“/Information” -> the subsite url part.
“/_controltemplates”
“/_layouts”  -> Images ,Styles, Javascripts
“/_vti_bin”
“/_wpresouces”
“/App_Browsers”
“/App_GlobalResources”
“/wpresouces”
“/_app_bin”
“/_vti_pvt”
“/_forms”
“/_login”
“/_windows”
“/ScriptResource.axd” -> Handlers
“/WebResource.axd”  -> Handlers.

this sample is only valid for pure SharePoint Team Site Template without customization ; So if you have some customizations and extra webservices requests or using another paths .
I could not you tell extra url names but I can show you how could you catch a fish

You can test with;

Getting a Fiddler,Developer Tool for IE or Firebug extension for Firebug trace on Server without https and make request to your Subsite . You can see all needed requests and files need to be loaded for working this page is correctly. Make a list for it;
Do it same operation behind Load Balancer and test , add missing redirections to 3rd party load balancer rules for them.

Multiple application pool identity senario when using NLB with kerberos auth for Sharepoint

First of all i assume that your farm is running behind a NLB cluster and configured using kerberos authentication successfully.

Here is the scenario:

Sharepoint 2010 WFE1 :
->IP: 192.168.10.5  FQDN : wfeserver1.contoso.com  , Windows 2008 server SP2 x64 , IIS 7.0

Sharepoint 2010 WFE2:
->IP: 192.168.10.7  FQDN : wfeserver2.contoso.com , Windows 2008 server SP2 x64 , IIS 7.0

NLB:
NLB Cluster IP : 192.168.10.200   FQDN: nlb1.contoso.com

We have 2 sharepoint application running on port 80:
App1: already configured using Kerberos Auth  :
Host Header : http://istanbul.contoso.com  AppPool account : Contoso\bugra

App2 : is using NTLM (just now)
Host Header : http://ankara.contoso.com  AppPool account Contoso\postman

In order for Kerberos authentication to work we configured:
When you run IIS in a clustered environment or in a load-balanced environment, you access applications by using the cluster name instead of by using a node name. This scenario includes network load balancing. In cluster technology, a node refers to one computer that is a member of the cluster. To use Kerberos as the authentication protocol in this scenario, the application pool identity on each IIS node must be configured to use the same domain user account. To configure each IIS node to use the same domain user account, use the following command:
Setspn –A HTTP/CLUSTER_NAME domain\username
http://support.microsoft.com/kb/929650

(Note: I could able to manage kerberos authentication without defining any SPN to NLB cluster on Windows Server 2008 R2. )

Defined SPN’s:

According to  KB  : SPN for the NLB cluster name: ***
SetSPN -A HTTP/nlb1.contoso.com     Contoso\bugra
SetSPN -A HTTP/nlb1     Contoso\bugra

SPN for the cluster node:
SetSPN -A HTTP/istanbul.contoso.com    Contoso\bugra
SetSPN -A HTTP/istanbul    Contoso\bugra

What happens if I want to configure an additional web application “ankara.contoso.com” , running under a different application pool “Contoso\postman”  also running Kerberos authentication ?

What about the NLB SPNs – they have a different account. This should be a problem of a duplicate SPN for NLB .Sure it is not able to do it like this way.

Solution:
1) Create another DNS A record on NLB Cluster ip:
ex:  host  A  newnlbrecord.contoso.com 192.168.10.200

2) Create SPN for this FQDN:
SetSPN -A HTTP/newnlbrecord.contoso.com     Contoso\postman
SetSPN -A HTTP/newnlbrecord Contoso\postman

And dont forget to create for your app:
SetSPN -A HTTP/ankara.contoso.com    Contoso\postman
SetSPN -A HTTP/ankara Contoso\postman

end of article.