Kerberos authentication through load balancer

I generally understand the problems that a load balancer poses for Kerberos. In fact, Microsoft's KB article outright states that it's not possible. However, this article - also on an MS site - suggests that there are possible workarounds.

Has anyone configured a system to use Kerberos and a load balancer? Did you need to use a Forefront server? Can you describe your setup?

Also, what is the precise functionality that the Forefront server provides that makes this work? As I understand it, each server behind the load balancer requires a different SPN and anything in front of the load balancer can't know what SPN to request a ticket for.


Solution 1:

Have you checked with the load balancer vendor? F5 for example, has the Advanced Client Authentication (ACA) module for their Local Traffic Manager (LTM) that provides support for Kerberos Constrained Delegation.

http://www.f5.com/pdf/white-papers/kerberos-constrained-delegation-pki-wp.pdf

Solution 2:

I have configured kerberos and haproxy load balancer (kindof). Basically kerberos needs dns of backend server for auth, what I did was I created haproxy config with listen stanza with two servers on two different ports (81 and 82) on haproxy host with rr and httpchk, then two frontend and two backend stanzas listening on these ports with checks and redir stance to point to the backend host with full hostname needed for kerberos auth. I needed this for HA of two app servers with jboss app with kerberos auth, no cookies needed as haproxy just does 301 redirect to backend server and all traffic then goes to the server which is live. Downside of this is that user can see full hostname of the backend server and it needs to be accessible for user so best if used for internal stuff only, not sure if you can do it different way on haproxy. If there is any other way of doing this where backend would not be visible - would be great if someone shared the info!