Forum Discussion
NimbostratusIssue with Keberos Authentication - Load Balancing several LDAP servers
Hi all,
at the moment we moved our LDAP servers behind the LTM. I am using a single Virtual IP which is listening to all needed LDAP ports.
Everything is working fine except the Kerberos authentication for some applications as they are sending a request on Port UDP 88. I see the packet arriving on the box when i start a TCP dump ... but i cannot see any packets traveling out.
Version of the LTM is 12.0.
Maybe someone of you encountered such an issue befor.
Cheers
4 Replies
R_MarcDo you have a vip on port 88 with a UDP profile? I'm assuming you are using an any listener. I also assume that listener has a tcp profile attached. You can't have a listener with both a UDP and a TCP profile attached, they'd need to be separate listeners.
- Kevin_Stewart
Employee
The port 88 request is going to be the communication between the client and the KDC. If the client is local to the domain/realm, then technically it should not need to go through a VIP to get to the KDC.
- Kevin_Stewart
Understood, but application traffic and Kerberos traffic are generally different things. In order to present a Kerberos ticket in an application request, a client must separately communicate to the KDC (usually on TCP or UDP port 88) to get that ticket. My question is why is your client trying to go through an LTM VIP to get to the KDC? The client should be local to the KDC.
- Kevin_Stewart
An Active Directory typically load balances itself, so it's usually not recommended to actually put domain services behind a load balancer. But in any case, you'd need a fastL4 VIP listening on port 88 and any port to cover both TCP and UDP requests. And I'd probably also use source persistence.
