Multiple application pool identity senario when using NLB with kerberos auth for Sharepoint

First of all i assume that your farm is running behind a NLB cluster and configured using kerberos authentication successfully.

Here is the scenario:

Sharepoint 2010 WFE1 :
->IP: 192.168.10.5  FQDN : wfeserver1.contoso.com  , Windows 2008 server SP2 x64 , IIS 7.0

Sharepoint 2010 WFE2:
->IP: 192.168.10.7  FQDN : wfeserver2.contoso.com , Windows 2008 server SP2 x64 , IIS 7.0

NLB:
NLB Cluster IP : 192.168.10.200   FQDN: nlb1.contoso.com

We have 2 sharepoint application running on port 80:
App1: already configured using Kerberos Auth  :
Host Header : http://istanbul.contoso.com  AppPool account : Contoso\bugra

App2 : is using NTLM (just now)
Host Header : http://ankara.contoso.com  AppPool account Contoso\postman

In order for Kerberos authentication to work we configured:
When you run IIS in a clustered environment or in a load-balanced environment, you access applications by using the cluster name instead of by using a node name. This scenario includes network load balancing. In cluster technology, a node refers to one computer that is a member of the cluster. To use Kerberos as the authentication protocol in this scenario, the application pool identity on each IIS node must be configured to use the same domain user account. To configure each IIS node to use the same domain user account, use the following command:
Setspn –A HTTP/CLUSTER_NAME domain\username
http://support.microsoft.com/kb/929650

(Note: I could able to manage kerberos authentication without defining any SPN to NLB cluster on Windows Server 2008 R2. )

Defined SPN’s:

According to  KB  : SPN for the NLB cluster name: ***
SetSPN -A HTTP/nlb1.contoso.com     Contoso\bugra
SetSPN -A HTTP/nlb1     Contoso\bugra

SPN for the cluster node:
SetSPN -A HTTP/istanbul.contoso.com    Contoso\bugra
SetSPN -A HTTP/istanbul    Contoso\bugra

What happens if I want to configure an additional web application “ankara.contoso.com” , running under a different application pool “Contoso\postman”  also running Kerberos authentication ?

What about the NLB SPNs – they have a different account. This should be a problem of a duplicate SPN for NLB .Sure it is not able to do it like this way.

Solution:
1) Create another DNS A record on NLB Cluster ip:
ex:  host  A  newnlbrecord.contoso.com 192.168.10.200

2) Create SPN for this FQDN:
SetSPN -A HTTP/newnlbrecord.contoso.com     Contoso\postman
SetSPN -A HTTP/newnlbrecord Contoso\postman

And dont forget to create for your app:
SetSPN -A HTTP/ankara.contoso.com    Contoso\postman
SetSPN -A HTTP/ankara Contoso\postman

end of article.

TroubleShooting with Sharepoint 2010 Diagnostic Log Compression (DLC) v1.0

Here is the checklist.

1)      Check all WFE and APP servers gac folder that the assambly file of DLC named “DiagnosticLogCompression.dll” has registered.

2)      Check Sharepoint Timer Job Service is running and has correct account on every WFE and APP Servers.

3)      Check Diagnostic Log Compression feature is installed and enabled on Sharepoint Central Administration Application

CA-> Site Settings -> Manage Site Features  and check Diagnostic Log Compression Feature is activated.

4)      Check Sharepoint Timer Job Service Identity has enough rights to read/write to destination folder for log copy/move operations.

5)      If you are using UNC path check from every WFE and APP server havent any connection problem to reach defined UNC.

6)      Monitor from ULS Log via ULS viewer that Compression job is running as expected.

You can download ULS Viewer from this link : http://archive.msdn.microsoft.com/ULSViewer

Job Starting Message:

DLC -> Job:  Message:Job Starting

Directory Check Message:
DLC -> Job:  Message:Directory is OK! :   \\YOUR_NETWORK_PATH

The Log file is inuse message:

DLC -> Job:  Message:File in usage:C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\14\LOGS\POSTPOINT2010-20110610-1927.log

Several processed log file message:

DLC -> Job:  Message:Processing -> C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS\POSTPOINT2010-20110606-1744.log


Finish message:

DLC -> Job:  Message:Job completed successfully

7)      If you do any update or manuel installation don’t forget to reset Sharepoint Timer job Service on updated server. For example getting Error of in ULS Log:

06/10/2011 19:36:03.45               OWSTIMER.EXE (0x21BC)             0x2018  SharePoint Foundation               Topology            umbo    High       The type DiagnosticLogsHelper.JobLogCompress, DiagnosticLogCompression, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c1b6bc305019fff6 could not be found in its specified assembly.  Scanning all assemblies that have been loaded in the current app domain.      

end of list.

Configuration of Sharepoint 2010 Diagnostic Log Compression (DLC) v1.0

Server Selection

You can select by checking  required servers from checklist for operations.DLC creates one timer job per selected server.

Move Folder

Define a network path or local path for move/copy your log files.You have three options

  • No Action : Log files can not copy/or move to another path but if compression is active the file which has “log” extention has to be compressed in default sharepoint log folder.
  • Copy Action: If this option is selected than the Compressed Log files or Log files are copied to defined path.
  • Move Action : if this option is selected than the compressed log files or log files moved to the defined path.

IMPORTANT :  Don’t forget to check your folder permissions that Sharepoint timer service account on each server has read/write rights to this folder for prevent an unnecessary access denied error.

Log Options

Compress Log Files: If this check is selected every file in default sharepoint log path will be compressed. And the orginal log file will be deleted. If move action is set to copy or move option this compressed file be copied or be moved defined path.

IMPORTANT: By default original log files will be deleted in compression mode.

Don’t Delete Orginal Log Files : If this check is selected even if compression option is selected original log files will not be deleted. Compressed file will be created in same folder. Even if move action is set copy or move option orginal log files can not be copied or moved to defined path.

Timer Job Schedule: when dlc configuration is completed it creates a timer job for each selected server. ( If timer job already exists it updates)  You  can configure for a schedule these timer jobs according to your envoriment.
there are tree option for timer job avaible Daily,WeeklyMonthly.

Quick FAQ : What happen if i set compression mode to false than set move option and  “Don’t Delete Orginal Log Files” option true ? Answer is simple : instead of moving it just copies orginal log files not delete them.

Quick FAQ: Could i set different schedules to specific servers ? Answer: no.

.

Installation of Sharepoint Diagnostic Log Compression (DLC) v1.0

Install via Sharepoint Management Console (PowerShell)

  1. Download Diagnostic Log Compression from http://dlc.codeplex.com and  Copy wsp file to c:\ drive
  2. Adding solution to solution storeAdd-SPSolution -LiteralPath C:\DiagnosticLogCompression.wsp
  3. Deploy SolutionInstall-SPSolution -Identity diagnosticlogcompression.wsp –GACDeployment
  4. Enable Feature for Central Administration application

Enable-SPFeature -Identity 0ed55cf5-5322-44bb-b5bf-9126130f7d38 -url <Your Central administration url and port>

  1. Restart Sharepoint Timer Servicenet stop sptimerv4
    net start sptimerv4

 

Install via stsadm tool

1. Download Diagnostic Log Compression from dlc.codeplex.com and Copy wsp file to c:\

2. Add Solution to solution store

stsadm -o addsolution -filename c:\DiagnosticLogCompression.wsp

3. Deploy solution

stsadm -o deploysolution -name DiagnosticLogCompression.wsp -immediate –allowgacdeployment

4. Execute Admin Service jobs

stsadm -o execadmsvcjobs

5. Enable Diagnostic Log Compression Feature

stsadm -o activatefeature -id 0ed55cf5-5322-44bb-b5bf-9126130f7d38 -url

6. Restart Sharepoint Timer Service

net stop sptimerv4
net start sptimerv4

  Cheers 🙂

Sharepoint 2010 Diagnostic Log Compression Tool

Hi everyone,

Have you ever  need to save sharepoint diagnostic log files ( uls logs) to another location for some reason security,backup, low storage capacity etc. If you enabled verbose mode than your log files could much storage problem . Sometimes one file getting bigger of GB’s.

This sharepoint extention helps you to compress,copy or move sharepoint uls log files to another location with a scheduled time for backup purpose.

Features
– Compression of uls log files using Gzip approximitly %80 compression ratio.
– Multiple Server Support , Running on selected servers option
– Scheduling operations.
– Copy or Move Compressed/Uncompressed Log files to another network location.
– Configuration via Central Administration.

You can download from codeplex.com
http://dlc.codeplex.com

.