Hi Joseph,
it is all possible :-)
Firstly I suggest not to use samba tools to create the squid keytab, but
use msktutil (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then
create a keytab for the loadbalancer name ( that is the one configured in IE
or Firefox). use this keytab on both proxy servers and use
negotiate_kerberos_auth with -s GSS_C_NO_NAME
When you say multiple realms, do you have trust between the AD domains or
are they separate ? If the domains do not have trust do you intend to use
the same loadbalancer name for the users of both domains ?
Markus
"Joseph Spadavecchia" wrote in message
news:2B43C569F8254A4E82C948CE4C247ED515891A_at_BLX-EX01.alba.local...
Hi there,
What is the recommended way to configure Kerberos authentication behind two
load balancers?
AFAIK, based on the mailing lists, I should
1) Create a user account KrbUser on the AD server and add an SPN
HTTP/loadbalancer.example.com for the load balancer
2) Join the domain with Kerberos and kinit
3) net ads keytab add HTTP/loadbalancer.example.com_at_REALM -U KrbUser
4) update squid.conf with an auth helper like negotiate_kerberos_auth -s
HTTP/loadbalancer.example.com_at_REALM
Unfortunately, when I try this it fails.
The only way I could get it to work at all was by removing the SPN from the
KrbUser and associating the SPN with the machine trust account (of the proxy
behind the loadbalancer) However, this is not a viable solution since there
are two machines behind the load balancer and AD only allows you to
associate a SPN with one account.
Furthermore, given that I needed step (4) above, is it possible to have load
balanced Kerberos authentication working with multiple realms? If so, then
how?
Many thanks.
Received on Thu Feb 06 2014 - 21:37:37 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 07 2014 - 12:00:05 MST