This article will outline some additional configurations that are possibly required when load balancing a SharePoint site with Edge Security Pack (ESP), and Server Side Authentication set to Kerberos Constrained Delegation (KCD).
This article will not be covering the initial ESP Client Side Configuration or the KCD Server Side Configuration. Please see the following links for information regarding the implementation of this part of the configuration.
1. Enable Kerberos on SharePoint
Log into your SharePoint Admin Portal. Go to Manage Web Applications > SharePoint Site > Authentication Providers
Under Edit Authentication set Integrated Windows authentication to Negotiate (Kerberos)
2. Enable Kernel Mode Authentication
When the LoadMaster requests a Kerberos ticket it will do so using the Fully Qualified Domain Name (FQDN) of the Real Server.
The Kerberos server or Domain Controller, will encrypt the ticket using the credentials of the Real Server. This can cause issues when connecting to your SharePoint Site resulting in a 401 Authentication popup.
A simple solution to this behavior is to enable Kernel Mode Authentication on the IIS Server.
IIS Manager > SharePoint > Authentication > Windows Integrated Authentication > Advanced Settings > Enable Kernel Mode Authentication.
3. SPN Service Account
In some scenarios it won't be possible to enable Kernel Mode Authentication. Some examples being when SharePoint has some back end servers that need to connect directly to SharePoint, or there are internal clients connecting directly to SharePoint. In these cases Kernel Mode Authentication will need to be disabled.
If this is the case, the Kerberos server will need to encrypt the KCD ticket using the SharePoint Service Account.
The SharePoint Service Account can be found under IIS Manager > Application Pools > SharePoint Site or in the SharePoint Admin Portal under Security > Configure Service Accounts.
Once the SharePoint Service Account has been retrieved, open the command line on your Domain Controller and run the following command:
SetSPN -s HTTP/IIS_SERVER_FQDN domain\SharePoint Service Account