Forum Discussion
CirrostratusKerberos - Serving a URL in different datacenters
Hello!
I have an very intresting issue.
Scenario 1 (that is working flawlessly):
LTM
VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth -> Sucess :-)
DNS
mysite.mydomain.com A Record 1.2.3.4
1.2.3.4 PTR Record mysite.mydomain.com
In the article attached, Kerberos is very picky with time and DNS resolutions. So it took some time to have everything Sync and working. No problem with that. Kerberos depends in DNS Reverse resolution to work, as explained in detail here:
https://devcentral.f5.com/questions/problems-with-using-kerberos-authentication
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
Now, here is the monkey wrench:
Scenario 2 : this is for load balance and redudancy between DataCenters:
GTM
mysite.gtm.mydomain.com -> VIP Server 1.2.3.4 and 10.10.10.4
DNS
mysite.mydomain.com CNAME Record mysite.gtm.mydomain.com
???.???.???.??? PTR Record ????????.mydomain.com
Data Center EAST COST
LTM
VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth
Data Center WEST COST
LTM
VIP 10.10.10.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth
Any ideas? Thank you in advance
J
2 Replies
- Kevin_Stewart
Employee
If you have the ability to capture Kerberos traffic between the client and KDC, look at the TGS_REQ being sent by the client. Your APMs are probably set up to authenticate (have a keytab) for mysite.mydomain.com, but you find that your clients are requesting tickets for mysite.gtm.mydomain.com. In any case, you'll need to add that as an SPN to the same account and then create a multi-SPN keytab.
Julio_NavarroThank you Kevin!
You gave some direction and actually I used a single SPN but with the record: mysite.gtm.mydomain.com
I had to add two PTR:
1.2.3.4 PTR mysite.gtm.mydomain.com 10.10.10.4 PTR mysite.gtm.mydomain.comThe user will request the URL mysite.mydomain.com but the browser will query the 401 HTTP Request using mysite.gtm.mydomain.com and voila! It works like a charm!
