Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Aug 20, 2015

Kerberos - Serving a URL in different datacenters

Hello!

I have an very intresting issue.

Scenario 1 (that is working flawlessly):

LTM

VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth -> Sucess :-)

DNS

mysite.mydomain.com A Record 1.2.3.4
1.2.3.4 PTR Record mysite.mydomain.com

In the article attached, Kerberos is very picky with time and DNS resolutions. So it took some time to have everything Sync and working. No problem with that. Kerberos depends in DNS Reverse resolution to work, as explained in detail here:

https://devcentral.f5.com/questions/problems-with-using-kerberos-authentication

https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos

Now, here is the monkey wrench:

Scenario 2 : this is for load balance and redudancy between DataCenters:

GTM

mysite.gtm.mydomain.com -> VIP Server 1.2.3.4 and 10.10.10.4

DNS

mysite.mydomain.com CNAME Record mysite.gtm.mydomain.com
???.???.???.??? PTR Record ????????.mydomain.com

Data Center EAST COST

LTM

VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth

Data Center WEST COST

LTM

VIP 10.10.10.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth

Any ideas? Thank you in advance

J

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 21, 2015

    If you have the ability to capture Kerberos traffic between the client and KDC, look at the TGS_REQ being sent by the client. Your APMs are probably set up to authenticate (have a keytab) for mysite.mydomain.com, but you find that your clients are requesting tickets for mysite.gtm.mydomain.com. In any case, you'll need to add that as an SPN to the same account and then create a multi-SPN keytab.

     

  • Julio_Navarro's avatar
    Julio_Navarro
    Icon for Cirrostratus rankCirrostratus
    Aug 25, 2015

    Thank you Kevin!

    You gave some direction and actually I used a single SPN but with the record: mysite.gtm.mydomain.com

    I had to add two PTR:

    1.2.3.4 PTR mysite.gtm.mydomain.com
10.10.10.4 PTR mysite.gtm.mydomain.com

    The user will request the URL mysite.mydomain.com but the browser will query the 401 HTTP Request using mysite.gtm.mydomain.com and voila! It works like a charm!