Cannot connect to a PI AF server through a Network Load Balancer

If you are not able to login to your PI AF server from a PI AF client connecting through a Network Load Balancer (NLB), you may need to configure the network load balancer service to use Kerberos authentication.

In this scenario, when you make a connection attempt to the PI AF server, the response is a login prompt. After entering your credentials, the connection attempt fails and another login prompt is displayed. Repetitive logon prompts indicate that there is a problem with authentication. Connections between the PI AF client to the PI AF server use Kerberos protocol for authentication by default, and then NTLM authentication if Kerberos authentication fails.

Note: Kerberos authentication is recommended over NTLM authentication for the connection between PI AF clients to PI AF servers.

To resolve this issue:

• Ensure that all PI AF servers that the NLB connects to are running as the same domain account.

• Make sure that PI AF server's Service Principal Name (SPN) exists for the hostname and that the fully-qualified domain name (FQDN) exists on all members. See View existing SPNs for the PI AF Application Service.

• For Kerberos, manually create PI AF server SPNs for the hostname and the FQDN of the NLB using the following commands:

  setspn -s AFServer/NLB_Name Domain\ServiceAccount
  setspn -s AFServer/NLB_FQDN Domain\ServiceAccount

• If you use NTLM as the authentication protocol for connections to PI AF, disable the Loopback Check on the PI AF server machines. For more details, refer to this Microsoft article: Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1.