Load Balance a Connection URL with Kerberos Auth

I'm going to assume here that you're not using APM (Access Policy Manager). In lieu of APM, the Kerberos ticket has to come from the client directly, which means the client must know the servicePrincipalName (SPN) of the server to make the ticket request. Browsers will use the host name from the URL to derive a SPN (ex. https://www.example.com becomes http/ There's no mechanism for HTTP-based Kerberos to inform the client of the correct name to use, so you only have a few options:

1. As I mentioned, the SPN is derived form the host name, so if you want to use "impala", then you have to attach this SPN to an account in the realm and export its keytab to all of the backend servers. That is, in order to use a single front-end name, all of the backend servers have to use the same keytab and SPN (ie. http/impala). It doesn't matter what the server's actual name is (in most cases), because the Kerberos configuration is generally bound to the SPN in the assigned keytab.

    

2. APM would more gracefully solve this issue by providing Kerberos Constrained Delegation (and protocol transition) on the backside of the proxy. You could use whatever name you wanted in the front, and APM could use whatever SPN(s) needed on the backend to reach the servers.