How to Configure the Orchestration Console Web Site or the Web Service for Load Balancing

How to Configure the Orchestration Console Web Site or the Web Service for Load Balancing

  • Comments 2
  • Likes

After slogging through configuring the SCSM web interfaces for load balancing I thought I would try to get it going with Orchestrator.  It was fortunately much easier this time since I knew what to look for and experiment with.  You should probably read the SCSM blog post as a bit of background to this.  I’m not going to explain everything in detail here again.

Here is my scenario:

1) Orchestrator Orchestration Console and Web Service installed on each of two servers.

2) Windows NLB setup across those two servers.

image

 

Here’s what I had to do to get NLB to work:

1) Out of the box the two web sites (Orchestration Console and Web Service) are installed by setup to use the DefaultAppPool.  The Orchestration Console web site should both changed to use the ‘System Center 2012 Orchestrator Web Features’ Application Pool that is installed by setup since we need the web site to be running as a domain account.  That app pool should have been configured to use a domain account (in my case contoso\svcorchestrator).  You need to change this on both servers.  To make this change:

A) Open IIS Manager from Start –> Administration Tools

B) Right click on the web site and choose Manage Web Site –> Advanced Settings… 

C) Click the … button in the Application Pool row in the property sheet.

D) Choose the System Center 2012 Orchestrator Web Features app pool from the drop down.

E) Click OK, Click OK.

 

2) Add SPNs (you only need to do this once):

SetSPN.exe –A HTTP/orc1 contoso\svcorchestrator

SetSPN.exe –A HTTP/orc1.contoso.com contoso\svcorchestrator

SetSPN.exe –A HTTP/orc2 contoso\svcorchestrator

SetSPN.exe –A HTTP/orc2.contoso.com contoso\svcorchestrator

SetSPN.exe –A HTTP/orc contoso\svcsorchestrator

SetSPN.exe –A HTTP/orc.contoso.com contoso\svcorchestrator

 

Note: If you are using HTTPS then you need to use HTTPS in the commands above instead of HTTP.

 

3) Configure just the Web Service site to useAppPoolCredentials = “True” (see the SCSM blog post on how to do this).

4) Configure just the Orchestration Console site to have the ‘Enable Kernel-mode authentication’ checkbox unchecked.

 

image

You can configure this by doing the following:

A) Right click on the System Center 2012 Orchestrator Orchestration Console site in the navigation pane.

B) Double click the Authentication icon

image

C) Right click on the Windows Authentication item and choose ‘Advanced Settings’.

D) Uncheck the box.

E) Click OK

 

Now you can configure your SCSM –> Orchestrator connector to use the load balanced URLs (e.g. http://orc:82 and http://orc:81/Orchestrator2012/Orchestrator.svc ) for high availability!

So – that’s what I figured out.  If you have any other tips or corrections please share them in the comments below.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thank you for the description.

    Wouldn't it be necessary to change the Orchestration Console web.config as well

    From (presumably)

    <add key="ScoServiceUri" value="http://ORC1:81/Orchestrator2012/Orchestrator.svc"/>

    To

    <add key="ScoServiceUri" value="orc.contoso.com/.../>

    or

    <add key="ScoServiceUri" value="http://ORC:81/Orchestrator2012/Orchestrator.svc"/>

    to make shure that the webservice requests that are made when using the Orchestration Console

    are load balanced, too?

    (In my case it was necessary because I configured two NLB-IPs and the webs to listen only on

    their respective NLB-IP-address and Port 80 while in the scenario you are describing this is only

    a question of being consistent.)

    Regarding the steps taken to enable kerberos authentication:

    Would you mind commenting on the reason why the UseAppPoolCredentials

    setting cannot be used for the Orchestration Console Web

    (instead of disabling the kernel mode authentication there)?

  • Is it possible to get this working using DNS round robin instead of NLB?