Forum Discussion
NimbostratusAPM Kerberos Auth via/to app on physically seperate LTM - reverse dns issues...
Hello
I have an APM resource who's target is a physically seperated LTM VIP (with no APM). I would like to enable KRB auth to this VIP.
To do this the LTM VIP has to have reverse DNS resolution consistent with the SPN of the server behind it. That would be OK if there was only one server - multiple PTR records would be required with more than one server behind the vip - this is an illegal configuration which will only return one PTR at any time.
For a policy, architectural and operational reasons I do NOT want to redefine the pool members and vip directly on the APM box. However I find little other choice that will enable KRB to function? Am I in error? Is there a solution I have missed? I will probably go back to NTLM as I DO have the users password.
Thanks in advance for your help :>
2 Replies
Max_Q_factorCirrocumulus
You can do Kerb SSO without DNS lookups, check out the Microsoft Exchange Server 2010 and 2013: Release Candidate (BIG-IP v11: LTM, APM, AFM)
Starting at page 111, but the part I think you will be most interested in is page 113 BIG-IP APM/LTM without DNS lookups
Adam_126540That is exactly the correct answer. Summarised from the documents - basically create an SPN in AD for the LTM service.
I did not elect to do that at this time but have fallen back to NTLM in most cases.
Thanks for you help.
