After slogging through configuring the SCSM web interfaces for load balancing I thought I would try to get it going with Orchestrator. It was fortunately much easier this time since I knew what to look for and experiment with. You should probably read the SCSM blog post as a bit of background to this. I’m not going to explain everything in detail here again.
Here is my scenario:
1) Orchestrator Orchestration Console and Web Service installed on each of two servers.
2) Windows NLB setup across those two servers.
Here’s what I had to do to get NLB to work:
1) Out of the box the two web sites (Orchestration Console and Web Service) are installed by setup to use the DefaultAppPool. The Orchestration Console web site should both changed to use the ‘System Center 2012 Orchestrator Web Features’ Application Pool that is installed by setup since we need the web site to be running as a domain account. That app pool should have been configured to use a domain account (in my case contoso\svcorchestrator). You need to change this on both servers. To make this change:
A) Open IIS Manager from Start –> Administration Tools
B) Right click on the web site and choose Manage Web Site –> Advanced Settings…
C) Click the … button in the Application Pool row in the property sheet.
D) Choose the System Center 2012 Orchestrator Web Features app pool from the drop down.
E) Click OK, Click OK.
2) Add SPNs (you only need to do this once):
SetSPN.exe –A HTTP/orc1 contoso\svcorchestrator
SetSPN.exe –A HTTP/orc1.contoso.com contoso\svcorchestrator
SetSPN.exe –A HTTP/orc2 contoso\svcorchestrator
SetSPN.exe –A HTTP/orc2.contoso.com contoso\svcorchestrator
SetSPN.exe –A HTTP/orc contoso\svcsorchestrator
SetSPN.exe –A HTTP/orc.contoso.com contoso\svcorchestrator
Note: If you are using HTTPS then you need to use HTTPS in the commands above instead of HTTP.
3) Configure just the Web Service site to useAppPoolCredentials = “True” (see the SCSM blog post on how to do this).
4) Configure just the Orchestration Console site to have the ‘Enable Kernel-mode authentication’ checkbox unchecked.
You can configure this by doing the following:
A) Right click on the System Center 2012 Orchestrator Orchestration Console site in the navigation pane.
B) Double click the Authentication icon
C) Right click on the Windows Authentication item and choose ‘Advanced Settings’.
D) Uncheck the box.
E) Click OK
So – that’s what I figured out. If you have any other tips or corrections please share them in the comments below.