Hi Folks I was wondering if anyone could help with the configuration of kerberos in an apache load balanced environment
We have an external apache http gateway in the DMZ and an Apache load balancer in the Back Office. The gateway is set up to proxypass requests for an internal address to the http gateway in the DMZ. So if a user goes to http://ourapacheserverinthedmz.com/us they will be proxypassed to our load balancer using the gateways FQDM This preserves the FQDN in the DMZ and masks the internal addresses of our load balancer and two Apache web servers. We have Kerberos working on one server, when the LB is shut down. To do this we got our Windows techies to create a service principle for http://webserver1.com and a corresponding keytab. This works fine if we access the server directly via its own URL, i.e http://webserver1.com, but how do we do this for two servers when the originating URL is that of the Apache gateway, i.e http://ourapacheserverinthedmz.com/us. Do we create one keytab for http://ourapacheserverinthedmz.com/us and have this added to the SPNĀ“s for both apache web servers? Or do we simply have one keytab created for http://ourapacheserverinthedmz.com/us and then have SPN for our load balancer. http gateway | Load balancer | ----------------------- | | WS1 WS2 ---------------| KDC |-------------------------------| Cheers Albert *********************************************************************************** *********** IMPORTANT: This message is intended exclusively for information purposes. It cannot be considered as an official OHIM communication concerning procedures laid down in the Community Trade Mark Regulations and Designs Regulations. It is therefore not legally binding on the OHIM for the purpose of those procedures. The information contained in this message and attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are reminded that the information remains the property of the sender. You must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this message in error, please contact the sender immediately and irrevocably delete or destroy this message and any copies. *********************************************************************************** *********** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
