I'm using Application Request Routing 3.0 on Windows Server 2012 R2 to load balance the internal web services on a Lync 2013 front-end pool; I'm not using it to reverse proxy the external web services (there is a separate reverse proxy for that), I'm only using it as a load balancer because this customer doesn't have any other load balancing solution available.
I've configured DNS to point all Lync internal web services URLs to the ARR server, I've defined a server farm including the two Lync Front-End servers in the pool, and I've configured ARR to route all HTTP and HTTPS requests to this farm, regardless of the URL or host name; the default web site in IIS on the ARR server is configured only for anonymous authentication.
The requests are routed correctly, but for all the authenticated Lync web services (which are many), the authentication fails miserably.
I've determined the problem lies in Kerberos authentication, and a quick Google search found lots of people having authentication problems when publishing authenticated web sites/services through ARR with Kerberos authentication; I've tried manually disabling the "negotiate" authentication method in IIS on the Lync servers, leaving only "NTLM", and with this settings everything works fine; this indeed shows the problem is actually caused by Kerberos authentication. However, tinkering with the IIS configuration on Lync servers is totally unsupported, and any manual change is likely to be reset when a configuration update happens or a Lync update is installed, thus I can't just manually configure IIS this way.
I'm looking for a (supported!) way to make authentication work on internal Lync web services when the requests are routed through an ARR server.
Can this be done? How?
Best Answer
After much struggling, we found no way to make Kerberos authentication work through ARR; as a workaround, we simply removed the ARR server from the domain: this forced it to skip Kerberos authentication altogether, and everything started working instantly.
I'm accepting this answer because it fixed the problem and let us use ARR to load balance Lync's internal web services, but if/when someone comes up with an answer which can actually make Kerberos authentication work, I'll be glad to accept it.