1 of 1 people found this helpful
Let me try to provide a simplified view of kerberos.
1) The client is asked to auth via kerberos
2) The client's browser first checks that the site is trusted, because you don't want to do kerberos to any site that asks.
3) Assuming the site is trusted, the browser will request a ticket from the KDC (domain controller) for the service (HTTP) and address of the gateway that matches the URL it used to reach the server. typically this is the FQDN of the gateway.
4) KDC issues a ticket to the client for the SPN (Service + address).
5) client offers the ticket to the gateway
6) The gateway verifies the ticket using the keytab. It finds the correct key for verification by matching the SPN in the offered ticket.
So that should answer your questions.
You need to set a SPN on the KDC which matches what clients will be asking for.
Clients use the address in the auth request url (proxy fqdn) You shouldn't need to set a SPN for the LTM because the SPN only needs to match what the client thinks they are talking to.
The keytab file on the gateway needs to have an SPN matching what the clients are offering in the tickets.
You can use packet captures on the client during auth for troubleshooting.
Thanks for the reply sroering,
My question has to do with how the keytab(s) should be setup. I have 3 mwg nodes. I generated 3 keytabs using three different AD accounts. I added (via setspn) HTTP/mwg.mydomain.local to each keytab. All the user (or client) browser proxy configs will point to mwg.mydomain.local, and that FQDN resolves to an IP address hosted by a VS on the LTM. I loaded the keytabs into the kerberos config on each node. Is that the way I should do it? It doesn't appear to be working, so I wanted to validate the approach.
An alternative might be to create one keytab file and add an spn for each additional node along with the common one that resolves to the VS on the LTM.
Anyone else using kerberos behind a load balancer? How did you configure kerberos on the nodes?
If all of your clients think they are talking to mwg.mydomain.local, then you should only need one SPN for HTTP/mwg.mydomain.local@MYDOMAIN.LOCAL, and one keytab copied to each MWG.
Thanks to all who replied.
What I ended up doing was generate a single keytab and added each node as an spn. So now I can point users to the LTM frontend w/ a generic spn and still point to specific nodes for troubleshooting.