Using the Negotiate web authentication method

The Windows Session Provider supports several authentication methods. One of the supported methods is the Negotiate method. Negotiate allows the client and server to select between Kerberos and NTLM. If possible, Negotiate will select Kerberos since this is the more secure protocol.

Negotiate may only be enabled on routers that run on the same host as the Windows Session Provider. This is due to how the Kerberos protocol works – if the Kerberos ticket is issued for the router host, but validated by the Windows Session Provider on another host, validation will fail.

If it is important that fail-over of the Windows Session Provider would work in a multi-host grid, Negotiate should be disabled. It is recommended to only have the Windows Session Provider running on one host and one node at a time even in a multi-host scenario.

Service Principal Names

A service principal name (SPN) is the unique identifier of an instance of a service. In order for Kerberos authentication to work, correct SPNs must be registered for the router hosts. See relevant KDC (Kerberos Key Distribution Center) and host operating system documentation on how to register an SPN for a specific host.