Forum Discussion
NimbostratusQuestion about BIG‑IP LTM enables Kerberos Protocol Transition
Hello,
we have an application that works with SSO SPNEGO/Kerberos but it is not working if we use the BIG IP Loadbalancer. We have BIG IP LTM System. Can you please give me any advice or a Dokument about how we must configure the Load Balancer ? Thanks in advance. Best Regards Gatsioudis
2 Replies
- Kevin_Stewart
Employee
Quick question. Is Access Policy Manager (APM) involved, or are you just trying to pass the Kerberos through the LTM?
- Kevin_Stewart
As I'm sure you're well aware, Kerberos is highly dependent on names, specifically service principal names. When a client makes an initial request to a Kerberos-enabled web server, the server will respond with a 401, and the client will go off to its KDC to request a ticket, by name, for the service it just attempted to access. So if the client is trying to access https://www.example.com, the service principal name the client uses in the ticket request will be HTTP/www.example.com. The point of this is to illustrate that if the name the client uses to access the LTM VIP is not the same as the service principal name owned by the web server, the Kerberos ticket created by the KDC (if a ticket is created at all), will not be valid for the web server.
To solve this problem, you simply need to make these names the same.
