On Tue, 25 Nov 2014, Dimitar Georgievski wrote:
My case for HTTP load balancing is little different. Ideally I would like
to use a real load balancer (A10 in this case) for balancing HTTP and HTTPS
Would that be possible?

Based on the info in this thread, and Apache configuration for IPA
(ipa.conf) the following steps were performed
- Added host for sso.example.com
- Added service for HTTP/sso.example.com
- added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab.
This keytab is listed in the conf.d/ipa.conf under the Location '/ipa'
groups of directives.
 ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k

- modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect
requests to sso.example.com

The login page loads but unfortunately authentication is failing with HTTP
401 (unauthorized) response from the server. I wonder what I am doing wrong.
Can you show your /var/log/krb5kdc.log, lines concerning
HTTP/sso.example.com principal at the time you are trying to access IPA

FreeIPA limits service principals' ability to impersonate user
principals (or any other principals). FreeIPA UI runs as HTTP/ principal
and is given permission to impersonate user principal when talking to
ldap/ service. This setup is explicit and requires additional
configuration for those Kerberos principals which ask for additional

For more detailed description read my article at

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to