Forum Discussion
NimbostratusMonitor http application (users authenticating to web serwers with kerberos)
Hello,
Currently web servers, which are load balanced by LTM, are configured to serve content only if user authenticates properly with them by Kerberos protocol. Every "http Get" is authenticated with Kerberos to web servers. Active monitor for this pool is based on simple "tcp connect test". I would like to implement more wise active monitor (application monitor), which would deactivate a pool member if active check returns 503 http error code.
My question: is it possible in LTM to configure active monitor to use Kerberos authentication ? (yes/no) ? If no, what would be another solution to implement active monitor in my scenario ? LTM version: 11.2
Thanks for your replies, Regards Tom
Regards Tom
2 Replies
- Kevin_Stewart
Employee
You cannot do this now because, for reasons still bewildering, all of the GSSAPI/SPNEGO binaries have been stripped from the product. I would recommend the following options:
-
Add your name to the feature request case.
-
The HTTP monitor in v11 will fail over to NTLM if Basic doesn't work. If you can configure your server to accept Kerberos AND NTLM, that may be an option.
-
Create a separate site pointing to the same content, or a specific path or test page with no or limited auth requirements and use that in an external monitor.
-
amolariCirrostratus
4 years laters, still no kerberos auth in http/https monitor.
From v13, curl version on BIGIP contains Kerberos, GSSAPI/SPNEGO so a custom monitor is feasable.
Existing RFE:
ID370645 Add Kerberos auth to http/https monitors in bigd
