F5 LTM vs. Kerberos servers

Well it certainly doesn't come without peril.

 

 

I would start by saying this though. Most Kerberos environments, Windows AD specifically, are self-loadbalancing.If you point a query to the domain name, AD will respond from any one of the (active) domain controllers. In fact the AS_REQ message is usually destined for something like krbtgt/DOMAIN.COM (not a specific host).

 

 

If that's not your environment and you actually do need to load balance KDCs (AS/TGS services), the real trick will be in the DNS. Kerberos is heavily dependent on names (ie. service principal names), so you need to make sure that AS_REQ and TGS_REQ messages destined for the KDC at DOMAIN.COM resolve to the BIG-IP VIP. Some Kerberos implementations also use IP constraints in the ticketing, so you may need to disable that. The easiest way to see if it works is to take a working environment, slip a BIG-IP in front of the KDC, and change the DNS entries for the domain (and krbtgt) to the VIP IP. If you see the AS_REQ passing through and an AS_REP coming back, then you're on the right path.