F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

KenJ_50171's avatar
KenJ_50171
Icon for Nimbostratus rankNimbostratus
Dec 06, 2012

F5 LTM vs. Kerberos servers

I have been asked to explore what is involved in loadbalancing Kerberos servers. (My background: I've been handling F5 configuration for simple services for years, but I know little about Kerberos.)

 

I can find plenty on the web about loadbalancing Kerberos-authorized services; however, this task is about loadbalancing the authentication and ticket-granting servers of Kerberos.

 

Any pointers? Any screams of "Don't do it!!"? Thanks...

 

 

config
design

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 07, 2012
    Well it certainly doesn't come without peril.

     

     

    I would start by saying this though. Most Kerberos environments, Windows AD specifically, are self-loadbalancing.If you point a query to the domain name, AD will respond from any one of the (active) domain controllers. In fact the AS_REQ message is usually destined for something like krbtgt/DOMAIN.COM (not a specific host).

     

     

    If that's not your environment and you actually do need to load balance KDCs (AS/TGS services), the real trick will be in the DNS. Kerberos is heavily dependent on names (ie. service principal names), so you need to make sure that AS_REQ and TGS_REQ messages destined for the KDC at DOMAIN.COM resolve to the BIG-IP VIP. Some Kerberos implementations also use IP constraints in the ticketing, so you may need to disable that. The easiest way to see if it works is to take a working environment, slip a BIG-IP in front of the KDC, and change the DNS entries for the domain (and krbtgt) to the VIP IP. If you see the AS_REQ passing through and an AS_REP coming back, then you're on the right path.

     

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Dec 09, 2012
    What's going to be pointing at the kerberos VIP? If it's APM, i would strongly advise against it as we've come across design issues with the way APM and kerberos authentication work together and issues around timeouts/delays and APM marking the VIP down for 10 minutes and stopping all kerberos authentication.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 09, 2012
    In regard to your points Andrew, I'd absolutely agree that APM is NOT a good fit for load balancing Kerberos servers. APM is a Kerberos proxy and end point. The load balancing would be handled by LTM alone.

     

     

    Can you elaborate on the issues you've observed in APM Kerberos?
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Dec 09, 2012
    We logged a case with F5 and have found out what has happened and why, but essentially this is what we had....

     

     

    APM setup to use "AD Server" for authentication in it's policies. When pointing to a VIP or using the pool of domain controllers (something they introduced in 11.2 i believe it was), if the domain controller took more than 10 seconds to respond to a kerberos request (for some unknown reason our could take up to 20 seconds and seemed to queue the kerberos requests), APM would mark the domain controller as down (which was a vip), and not authenticate users for 10 minutes. The PD team have confirmed that this is expected functionality within the product.

     

     

    When you use DNS to discover the domain controllers in APM (which had other implications for us around slow link sites etc), then the F5 would hit one domain controller, wait 10 seconds, then hit the next until it had exhausted the list (so for us it would go through over 6 DC's if that ever happened).

     

     

    So, i guess it all depends on your AD setup, but we had a lot of issues around getting high availability AND control over what domain controllers we could use.