bmm6o's questions

Normally when you set up Kerberos for IIS, you would do something like setspn -A HTTP/machine some_account. When IIS 7 is installed, it registers the SPN "HOST/machine" for its kernel-mode authentication. Why does this work? Is "HOST" some kind of catch-all SPN that matches when there is no protocol-specific (e.g. "HTTP") SPN registered? Because the client will still specify the HTTP SPN in its TGT requests, right?

(Sorry if this is a simple question, "HOST" is a predictably difficult term to google)

I generally understand the problems that a load balancer poses for Kerberos. In fact, Microsoft's KB article outright states that it's not possible. However, this article - also on an MS site - suggests that there are possible workarounds.

Has anyone configured a system to use Kerberos and a load balancer? Did you need to use a Forefront server? Can you describe your setup?

Also, what is the precise functionality that the Forefront server provides that makes this work? As I understand it, each server behind the load balancer requires a different SPN and anything in front of the load balancer can't know what SPN to request a ticket for.

One feature of Forefront is the ability to pre-authenticate external users before their requests are sent to a published web application. In addition, it is supposed to be able to forward the accepted credentials to the web application (according to technet). How specifically are these credentials passed? Are they in a header? Are they sent with every request, or just the first?