Yeah I saw this also.
>From what I've read holistically, Putting your DCs behind a VIP tends to be
>problematic because the member server name doesn't match the name of the SPN
>thus it becomes vehemently unhappy.
I suppose you could possibly build an ASA similar to how you do Kerberos with
Exchange and try to leverage that but I've read/heard there's a ton of
reliability issues and you should just rely on the krb5.conf like:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:750
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
default_domain = mit.edu
Jon Towles
CTO, Synterex
(m) 978-609-5545
-----Original Message-----
From: Robbie Harwood <rharw...@redhat.com>
Sent: Thursday, February 18, 2021 4:48 PM
To: Jonathan Towles <jjtow...@synterex.com>; kerberos@mit.edu
Subject: Re: Load Balancing KCDs
Jonathan Towles <jjtow...@synterex.com> writes:
> Does anyone have experience putting DCs behind a network load balancer
> for Kerberos Authentication?
>
> Depending on who you ask, it doesn't really work. I wanted to ask the
> group to see if anyone has strong experience in doing it and if it's
> feasible?
I usually refer to Simo's post on this:
https://ssimo.org/blog/id_019.html
Thanks,
--Robbie
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
