How to configure SPN for IIS website under NLB setup

I ran into this Kerberos issue a few times and it prompted me to write this blog post.


You would run into one of the following errors

"The request failed with HTTP status 401: Unauthorized” Or 401.2

You’ve already verified the following

1)      Web site is configured for Integrated Authentication

2)      Website is configured to use Negotiate by configuring NTAuthenticationProviders

3)      Configured IE to use Integrated Authentication

4)      DelegConfig tool detects that SPN configuration is valid

5)      Valid SPN’s are set as per URL



Most common reasons for the Kerberos issues are resulted due to invalid SPN setup / Duplicate SPN setup, this case is no different.

The URL (hostheader) for browsing the website is  and you’ve configured SPN’s for website is  , however when we try to resolve this FQDN it is resolving to  “test -”,  in this case we needed to set SPN for “”



It is important that we configure SPN for the name it is resolving to, not the name we are using to browse the website. Following is the example

Website URL:
HostHeader :

Ping and note down the name it is resolving it to, in some NLB scenarios due to the some custom requirements, customers would have a alias configured for, so in reality if we ping  is resolving it to due to DNS configuration, in this case we need to set SPN's for , not for



For this specific case, we removed the existing SPN’s and added the SPN for “” by following the below command


Setspn – a  HTTP/ Testdomain/ServiceUser


Note:  The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service.



How to use SPNs when you configure Web applications that are hosted on IIS 6.0


Kerberos SPN Viewer and Helper Tool Sample


Comments (0)

Skip to main content