Kerberos not working with cisco content switching(CSS)

Unanswered Question
Apr 30th, 2008

we are try to carry out load balancing on KERBEROS on the CSS but i ad a feeling this will not work.I checked ont he link below but not too sure if this will help in load balancing with Kerberos

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Tue, 05/06/2008 - 06:10

The problem with kerberos is that the user must first sends a request to kerberos server that delivers a token to then contact the destination server. Here the user will use the vip ip to request the token and when contacting the destination the ip is different and the token not accepted.

I had an issue like this in a long time ago and I don't think we ever found a solution.

Did you try to configure loopback ip addresses on the server that would be the same ip as the vip ?

Then configure service of type transparent on the CSS.

Or contact the kerberos admin guy to see if he knows a way to have a token valid on multiple platforms

You can do the configuration like that:

owner xxxx

content short

vip address x.x.x.x

redirect "//test.company.com:50100/irj"

protocol tcp

port 80

url "//short_name/"

active

content fqdn

vip address x.x.x.x

redirect "//test.company.com:50100/irj"

protocol tcp

port 80

url "//test.company.com/"

active

content lb_rule

vip address x.x.x.x

balance weightedrr

advanced-balance sticky-srcip

url "//test.company.com:50100/*"

protocol tcp

port 50100

add service srv1

add service srv2 weight 5

active

service srv1

ip address x.x.x.x

keepalive type http

keepalive port 50100

keepalive uri "/index.html"

type redirect

port 50100

active

service srv2

ip address x.x.x.x

keepalive type http

keepalive port 50100

keepalive uri "/index.html"

type redirect

port 50100

active

Actions

This Discussion