Devolutions ForumDevolutions Forum

How to: Deploy Devolutions Server as an HA Web Server Farm behind a Load Balancer with Windows Authentication configured for Remote Desktop Manager.

How to: Deploy Devolutions Server as an HA Web Server Farm behind a Load Balancer with Windows Authentication configured for Remote Desktop Manager.

avatar
justpaul

Deploy Devolutions Server as an HA Web Server Farm behind a Load Balancer with Windows Authentication configured for Remote Desktop Manager. 
In deploying Devolutions Server (DPS) as an HA pair using the provided documentation, I noticed that, while most everything worked, RDM was not able to connect using Windows Authentication if I used the load-balanced name. Connecting directly to one of the DPS servers via its name worked OR setting RDM to prompt for credentials (or manually setting credentials for the DPS datasource) worked. In the logs I could see Kerberos failures so I knew this was probably a Kerberos ticket decryption problem. What I found was missing was the step 12 in Configuring IIS section below. This document is to show how we installed DPS to be HA while allowing RDM to continue to authenticate via Windows Authentication / Negotiate / Kerberos. As a best practice, it is recommended to add the node under a new namespace, leaving the original server alone as a failback. You can then repeat these below steps to have two HA servers with a shared Kerberos SPN and failback server should something not work. 
Disclaimer: I do not work for Devolutions; I am a customer. While the below steps worked for me, under no circumstances shall I be liable to any person or entity for any direct, indirect, special, incidental, or consequential damages of any property arising as a result of the instructions in this document. This document was written in my free time and does not indicate any endorsement from my employer. 
Pre-requisites: 

  1. Working DPS installation (we will be adding additional web frontends) with a DPS Enterprise license (needed for more than one but up to three web frontends) 
  2. Windows authentication is already in place on the existing DPS installation 
  3. Active Directory Service account that has access to DPS 
  4. Windows Server (I used 2019 but this should work on 2012R2 or 2016) 
  5. SSL certificate that, minimally, has the shared namespace of the server, but recommended to also include the FQDN names of your individual nodes 
  6. Layer 4 or Layer 7 load balancer (configuration is beyond the scope of this document but we use Kemp as a Layer 7 and have had no issues). Note: Layer 7 is recommended so the X-Forwarded-For header can be added. DNS should be pointed to it (or swung over after installation if re-using existing DNS name) 
  7. DPS installation exe (I used 2021.2.8.0, but I suspect this should work on most previous and all future versions) 
  8. rewrite_amd64_en-US.msi (everything else is installed by the Powershell script, the installer was found URL Rewrite : The Official Microsoft IIS Site at the time of this writing) 
  9. An export of the encryption keys from the production DPS 
  10. Domain administrator permissions to create and assign a new SPN 

Example Names used in this document: 

  • mydomain.com – domain name in use by Active Directory 
  • MYDOMAIN – NT (NETBIOS) Active Directory Domain name 
  • legacysrv – server with DPS already installed 
  • newsrv – new server we will be adding 
  • serverfarm.mydomain.com – namespace we will be using as the HA name (pointed to the load balancer) 
  • svcdevolutions – Active Directory service account used to access DPS and run the scheduler service 

Create SPN: 

  1. As a domain administrator, run the following command (substitute the example names with your own): 

Setspn.exe -U -S http/serverfarm.mydomain.com MYDOMAIN\svcdevolutions 
Setspn.exe -U -S http/serverfarm MYDOMAIN\svcdevolutions 
Installing DPS: 

  1. On a freshly deployed Windows Server, run the DPS Console  installer (Setup.DPS.Console.2021.2.8.0.exe as of the time of this writing) as an admin. When complete and prompted to launch the console, uncheck launch console. 
  2. Open a PowerShell Prompt as admin and navigate to the Scripts directory under the installation path (default is 'C:\Program Files (x86)\Devolutions\Devolutions Server Console\Scripts\') 
  3. Run & .\ DVLS-Prerequisites.ps1 This will install 95% of your prerequisites, including IIS. 
  4. DVLS-Prerequisites.ps1 
  5. forum image 
  6. After installation is complete, install rewrite_amd64_en-US.msi  
  7. Now that IIS is installed, bind the Default web site to 443 using your SSL certificate 

Configure DPS Console: 

  1. Launch DPS Console 
  2. Click Install New Instance 
  3. When promoted for IIS Settings, click Configure next to Application Pool 
  4. Set the Identity Type to SpecifiedUser and provide the credentials (as NTDOMAIN\SVCDEVOLUTIONS)  
  5. Import the Encryption Keys 
  6. After installation, click on the Companions Tab and click Install in the Scheduler Service 
  7. Specify the Service Account (as NTDOMAIN\SVCDEVOLUTIONS) 

Note, if this fails, open Services.msc, go to DevolutionsSchedulerService (dps) and go to properties. Select the Log On tab and re-enter the credentials. Click OK and then start the service. Once confirmed the service is running, stop the service and set the Startup type to Manual (you only want one instance of the Scheduler running, so whichever server deemed the primary one should be the only one with the Scheduler running. It’s good to have it installed and in standby on your other server(s) in case the primary server fails) 
Configure IIS: 

  1. Open IIS Manager and navigate to the server's name and double-click Feature Delegation 
  2. Click Authentication – Anonymous and select Read/Write in the Actions tab 
  3. Click Authentication – Windows and select Read/Write in the Actions tab 

forum image 

  1. Back in IIS on the Server level, double-click on Logging 
  2. Click Select Fields 
  3. Click Add Field 
  4. In Field Name, type X-Forwarded-For and in the Source, type X-Forwarded-For 
  5. forum image 
  6. Click OK 
  7. Click Apply 
  8. From a command prompt, run the following command to tell IIS to use the AppPool’s identity for decrypting Kerberos tickets while still running in the much faster Kernel mode (note, the below command is all one line, so copy/paste this into notepad first to make sure) 

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true 
Configure DPS Web Interface:
In the DPS web-based interface, go to Administration - Server Settings - General - DNS Name. And provide the namespace of your load balancer 
KB4774 
Now, when your RDM points to the new namespace, it should be able to use Windows Authentication to connect to it. 

All Comments (0)