Hi there,
What is the recommended way to configure Kerberos authentication behind two load balancers?
AFAIK, based on the mailing lists, I should
1) Create a user account KrbUser on the AD server and add an SPN HTTP/loadbalancer.example.com for the load balancer
2) Join the domain with Kerberos and kinit
3) net ads keytab add HTTP/loadbalancer.example.com_at_REALM -U KrbUser
4) update squid.conf with an auth helper like negotiate_kerberos_auth -s HTTP/loadbalancer.example.com_at_REALM
Unfortunately, when I try this it fails.
The only way I could get it to work at all was by removing the SPN from the KrbUser and associating the SPN with the machine trust account (of the proxy behind the loadbalancer) However, this is not a viable solution since there are two machines behind the load balancer and AD only allows you to associate a SPN with one account.
Furthermore, given that I needed step (4) above, is it possible to have load balanced Kerberos authentication working with multiple realms? If so, then how?
Many thanks.
Received on Thu Feb 06 2014 - 11:47:41 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 07 2014 - 12:00:05 MST