Hi Folks

I was wondering if anyone could help with the configuration of kerberos in an 
apache load balanced environment

We have an external apache http gateway in the DMZ and an Apache load balancer 
in the Back Office.  The gateway is set up to proxypass requests for an 
internal address to the http gateway in the DMZ. So if a user goes to 
http://ourapacheserverinthedmz.com/us they will be proxypassed to our load 
balancer using the gateways FQDM

This preserves the FQDN in the DMZ and masks the internal addresses of our load 
balancer and two Apache web servers.

We have Kerberos working on one server, when the LB is shut down. To do this we 
got our Windows techies to create a service principle for http://webserver1.com 
and a corresponding keytab.

This works fine if we access the server directly via its own URL, i.e 
http://webserver1.com, but how do we do this for two servers when the 
originating URL is that of the Apache gateway, i.e 
http://ourapacheserverinthedmz.com/us.

Do we create one keytab for http://ourapacheserverinthedmz.com/us and have this 
added to the SPN“s for both apache web servers? Or do we simply have one keytab 
created for http://ourapacheserverinthedmz.com/us and then have SPN for our 
load balancer.

http gateway
                |
Load balancer
                |
-----------------------
    |                      |
WS1              WS2 ---------------|
KDC
    |-------------------------------|

Cheers
Albert
***********************************************************************************
***********
IMPORTANT: This message is intended exclusively for information purposes. It 
cannot be considered as 
an 
official OHIM communication concerning procedures laid down in the Community 
Trade Mark Regulations 
and Designs Regulations. It is therefore not legally binding on the OHIM for 
the purpose of those 
procedures.
The information contained in this message and attachments is intended solely 
for the attention and use 
of the 
named addressee and may be confidential. If you are not the intended recipient, 
you are reminded that 
the 
information remains the property of the sender. You must not use, disclose, 
distribute, copy, print or 
rely on this 
e-mail. If you have received this message in error, please contact the sender 
immediately and 
irrevocably 
delete or destroy this message and any copies.

***********************************************************************************
***********
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to