Forum Discussion
scorpa_121336
Nimbostratus
NimbostratusAPM and Active directory forest auth
Hello.
I couldn't find any information about how to specify wich KDC Bigip should use to auth users from some realm,
So problem is:
In APM settings under Active directory servers we configured our global catalog server, for example it's holds root forest domain example.com.
We have a lot of servers which can auth users from one.example.com but in our local site we have only two, all other too far away to be used, only in case of failure. Therefore after client request global catalog which is set in VPE under AD auth, apm looking throught dns for KDC one.example.com and finds lots of servers, then its using random server and creating cache. So how to specify which server to use for specific realm ?
1 Reply
- Kevin_Stewart
Employee
Assuming you're talking about server side Kerberos (SSO), I can think of at least TWO options:
1. Modify /etc/krb5.conf - set dns_lookup_realm and dns_lookup_kdc both to false and specify the KDCs in the [realms] section.
2. If you have the DNS services module licensed, you should be able to point the system-wide DNS server setting at a VIP (DNS profile applied) and filter the incoming DNS responses, or statically respond if the values never change.
