Kerberos behind F5 load-balancer

Question

We have two kerberos server (freeipa), they are on private address and now we want to expend service to public so planning to put them behind F5 so i get high availability and protection too, But having hard time to make kerberos happy behind F5 because now client talking to F5 VIP with different hostname and later it's getting NATed down to server, I have added f5 vip SPN&nbsp;in kerberos so it will trust VIP but still no luck i am getting following error in logs now
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
i have added krb5.conf
allow_weak_crypto = yes
but still client not authenticating.

stanislas_piro2 · Answer

Hi,&nbsp;
you can create a DNS PTR record. if VIP is 10.20.30.40 and application SPN is HTTP/myapp.company.com, create the following DNS record:&nbsp;
40.30.20.10.in-addr.arpa.INPTR myapp.company.com&nbsp;

Forum Discussion

Kerberos behind F5 load-balancer

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

ASM Export JSON - size Limit ?

SNI Sites not taking correct certificate.

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

F5 LTM listening on 3306

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Load Balancing TCP TLS Encrypted Syslog Messages

What is Load Balancing?

Transparent load balancing in Azure, Part 2

NGINXaaS for Azure: Load Balancing

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS