Kerberos for web proxy clients
I want to authenticate my web proxy clients with Kerberos as they are using primarily NTLM and that's producing too much overhead in my network and on the DCs.
All the clients are using the same equal proxy pac and the proxy DNS name which is returned is balanced over two sites by GTM. GTM returns the virtual IP of each sites LTM.
The DNS domain which is hosted on the GTM is different to my active directory domain.
So the clients are talking to proxy.gtm-domain.net:
This name can't be registered as SPN in active directory to each proxy in the backend as it has to be unique.
Each proxy in the backend (ISA 2006) is joined to the our AD and has a default SPN registered like HTTP/proxy12.ad-domain.net
My concern is now, how do I get Kerberos to work as the virtual GTM name can't be used/registered as SPN?
Today the clients which can talk Kerberos are searching the AD for the SPN HTTP/proxy.gtm-domain.net but that can't work as there is no SPN registered.
The ISA 2006 service on the machines can't be started with an AD account where I could register the SPN on.
My idea is now that the LTM on each site has an iRule which can tell the client to request the SPN for the returned backend server.
- client makes a request to http://www.google.com and sends it to proxy.gtm-domain.net
- GTM balances to the closest site
- LTM of the site balance the request to a backend server proxy12.ad-domain.net
- backend proxy returns HTTP status 407 authentication required (Negogiate, Keberos, NTLM)
- client makes Kerberos authentcation with the SPN HTTP/proxy12.ad-domain.net instead of the not existing SPN HTTP/proxy.gtm-domain.net
Is that possible? Can that be done with an iRule? Other ideas?