kerberos

Yes I currently have the same idea in mind. Any responses to the question would be greatly appreciated. Actually we will be using the F5 for our MOSS 2007 WFE's and also for the SQL 2005 DB's in the environment. I'm a bit hesitant to "switch" kerberos on until I find more information in terms of how the F5's might affect this configuration.

I'm intersted as well, anyone have the answer?

We are configuring a vip for a few backend servers that use kerberos authentications for client logins. I plan to do some extensive testing on the vip. But i was told by F5 that GTM is a better choice. I wonder if LTM will work at all for kerberos. The servers are based on Linux, not Windows.

Hi,

 

 

Yes F5 can do kerberos, but you cannot join this device to the AD domain.

 

 

Instead you need to create SPNs (service principal names) for the HTTP services mapping to a particular domain user ids.

 

 

We have kerberos single sign on working for IIS, weblogic, SAP enterprise portal without any issues.

 

 

Let me know if you need more info.

 

 

Regards,

 

Ravi

After the SPNs are created, what needs to be done within F5? We are using BusinessObjects application with AD/Kerberos auth. When I go direct using servername, application with SSO works fine. When we go in via the load balancer, using a URL that maps to a VIP, auth doesn't happen and get an error message within application. Persistance is turned on in F5, set to 1hr. Does the SPN account need to be given some rights in F5?

Hi,

 

 

Firstly map the virtual IP to a dns name in your internal DNS server. Then create an SPN for this dns name and with the userid being used to configure kerberos.

 

 

For ex. if you are using an id - xyz for configuring BO SSO, and the dns name is bovirtual.addomain.com

 

 

Then the SPN will be -

 

 

setspn -A HTTP/bovirtual.addomain.com xyz

 

 

Let me know how it goes.

 

 

Regads,

 

Ravi

Hey,

 

That worked! Once we ran the SPN command = "Setspn.exe -A HTTP/infoviewuat.xyz.com userid" then the F5 came into play and things are good. Thanks for the insight.

 

 

Now on to the NEXT issue....HTTPS. We use a reverse proxy server for users from the outside world aka external network to come in via HTTPS. The trouble is, this proxy server is on a different domain (also different forest) than the BusinessObjects servers and the domain our AD groups reside in for Kerberos authentication.

 

 

I'm wondering if this setup can be made to work, or perhaps not if the F5 & BO servers and AD groups reside on a separate domain/forest than the proxy server?

 

 

Perhaps running a similar command on the AD controller like "Setspn.exe -A HTTP/proxyserver.ZYX.COM userid" will help to resolve? Users trying to come in via HTTPS are getting same error message as was getting prior to running the above script which resolved the F5 issue.

 

 

There may be some changes to the BO application required, but our network guy was thinking not because after the users hit the proxy they then get over to our BO servers the same as if they were in house (in theory). This setup works ok in BusinessObjects XIR2, which is our current production, but for that we're using NTLM auth and Trusted Auth, not AD and Kerberos.

 

 

Any ideas? I'm really stuck again as not having HTTPS is a show stopper for our upgrade project.

 

 

Thanks!

Hey,

 

I have a similar problem, except I'm not using IIS.

 

We have a collection of SOAP/WCF services, accessible internally only on Win2k3 servers.

 

Each one of these services run's under a domain account. The data from these services is stateless, we are using the Microsoft delegation model with WS Security in out .NET applications to pass Kerberos information/SPN's from the client to the backend. Under load we continually get Kerberos errors, however the moment I apply a Persistence Profile all works fine.

 

I gather through each payload sent from the client, a message is sent along with the Kerberos token. The token applied against “backend server 1”, it travels back to the client, the client then sends its next payload which is load balanced to “backend server 2”, Kerberos tokens don’t match up and an error is displayed.

 

Anyone had any experience which this sort of setup? Have you set persistence connections? What sort of timeout are you using? I’ve also tried adding the F5 to the domain using “Configuration Guide for Kerberos Delegation” but that appeared to only be useful for IIS setups using host based SPN’s.

 

I was considering setting up an iRule specifically for Kerberos packets and trying to persist only those, however I don't think this would be relevant if the token is bound to the payload sent from the client.

I mentioned this in an Exchange / CAS thread, but will mention here as it may apply as well.

 

We spent about a year troubleshooting slowness issues with Exchange, and getting weird performance / errors that didn't make sense.

 

 

After working for a LONG time with F5 on the issue, we discovered that the Nagles Algorithm was the culprit. Google it for more specifics, but it basically combines smaller packets to send more optimized larger ones on the back end. This is great for general web traffic, but not necessarily so good for RPC related traffic. RPC expects immediate response, and doesn't really like packet alterations.

 

 

You may try with it disabled to see if this helps.

I've been caught out with Nagles Algorithm before, it's one of the first thing's I disable now.

 

Been running in production with a persistence profile configured for about a month now (default timeout set - 180 seconds). I see the occasional error on the services, but this may possibly be narrowed down to kerberos timeouts due to inactivity from low client volume. I expect the client volume to ramp up and these errors will no longer exsist (tokens will be renewed regurally) over the next few months.