Julio_Navarro
Aug 20, 2015Cirrostratus
Kerberos - Serving a URL in different datacenters
Hello!
I have an very intresting issue.
Scenario 1 (that is working flawlessly):
LTM
VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth -> Sucess :-)
DNS
mysite.mydomain.com A Record 1.2.3.4
1.2.3.4 PTR Record mysite.mydomain.com
In the article attached, Kerberos is very picky with time and DNS resolutions. So it took some time to have everything Sync and working. No problem with that. Kerberos depends in DNS Reverse resolution to work, as explained in detail here:
https://devcentral.f5.com/questions/problems-with-using-kerberos-authentication
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
Now, here is the monkey wrench:
Scenario 2 : this is for load balance and redudancy between DataCenters:
GTM
mysite.gtm.mydomain.com -> VIP Server 1.2.3.4 and 10.10.10.4
DNS
mysite.mydomain.com CNAME Record mysite.gtm.mydomain.com
???.???.???.??? PTR Record ????????.mydomain.com
Data Center EAST COST
LTM
VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth
Data Center WEST COST
LTM
VIP 10.10.10.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth
Any ideas? Thank you in advance
J