Forum Discussion
NimbostratusImplementation issues with new software going through F5 load balancer
We're testing our in house software on a clients site who use F5 load balancer. All their traffic goes through there. They have other applications that work fine through the F5 as well. We're setting up our software to use AD authentication. If we bypass the F5, it works as it should be.
If we go through the F5, we get the issue below. Clients have to go through F5, and we ask them to contact F5 for support, but they're not willing to do it since their other applications work fine with it. I need your guidance please.
'Server Error in '/Success' Application.
Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: The Workstation service has not been started.
Source Error:
Line 3: Line 4: Line 5: Line 6:
Line 7:Source File: C:\Program Files (x86)\Success Enterprise\Success\config\membership.config Line: 5
Version Information: Microsoft .NET Framework Version:2.0.50727.5472; ASP.NET Version:2.0.50727.5456 '
16 Replies
Andy_01_133092by local, do you mean on the same server as DC or on the network?
It is on the same network.
- Kevin_Stewart
Employee
Local to the domain, as in running on a domain member machine and has direct access to the KDC/domain controller to request Kerberos tickets - without having to go through the F5 to do that.
- Andy_01_133092
I have to check to see if it was on the same domain, but the client is requesting it to go through the F5, we can't do direct access to DC. This is the only way according to the client, otherwise, they don't want it setup.
- Kevin_Stewart
Just consider that I'm not talking about direct access to everything, just the DC communication. I'm assuming there's another (application) server somewhere in this equation that is the endpoint of all of this, and that the DC is only needed for authentication requests. If at all possible, it would be easiest to allow application traffic through the F5 and have the client software talk to the DC directly. If the client is a non-Windows, non-domain member piece of software that is capable of Kerberos authentication, then it's still technically possible to route this traffic through a proxy, but you still need DNS resolution, a path for port 88 Kerberos traffic, and probably a keytab or two accessible to the software.
Just out of curiosity, does the application support any other form of authentication, like Basic?
- Andy_01_133092
yes it does, but the client is requesting AD authentication for their purpose. This issue is coming from our development team and I'm the main IT guy whom they're requesting assistance from. Yes, I've been told that that the software is install on the application server that needs to go through the F5 to get to dc (REQUIRED by client). Hopefully, with the packet capture, it'll be clearer for you guys to assist.
Thank you.
- nitass
just wondering how virtual server is configured. are you using one virtual server (e.g. network or wildcard virtual server) to handle AD traffic and another virtual server to handle application traffic?
