Forum Discussion

satish_txt_2254's avatar
Aug 14, 2017

Kerberos behind F5 load-balancer

We have two kerberos server (freeipa), they are on private address and now we want to expend service to public so planning to put them behind F5 so i get high availability and protection too, But having hard time to make kerberos happy behind F5 because now client talking to F5 VIP with different hostname and later it's getting NATed down to server, I have added f5 vip SPN in kerberos so it will trust VIP but still no luck i am getting following error in logs now

GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)

i have added krb5.conf

allow_weak_crypto = yes

but still client not authenticating.

1 Reply

  • Hi,


    you can create a DNS PTR record. if VIP is and application SPN is HTTP/, create the following DNS record: