On Monday, 13 August 2012 15:51:23 UTC+2, GADSDON Paul wrote: > Hi Folks > > > > I was wondering if anyone could help with the configuration of kerberos in an > apache load balanced environment > > > > We have an external apache http gateway in the DMZ and an Apache load > balancer in the Back Office. The gateway is set up to proxypass requests for > an internal address to the http gateway in the DMZ. So if a user goes to > http://ourapacheserverinthedmz.com/us they will be proxypassed to our load > balancer using the gateways FQDM > > > > This preserves the FQDN in the DMZ and masks the internal addresses of our > load balancer and two Apache web servers. > > > > We have Kerberos working on one server, when the LB is shut down. To do this > we got our Windows techies to create a service principle for > http://webserver1.com and a corresponding keytab. > > > > This works fine if we access the server directly via its own URL, i.e > http://webserver1.com, but how do we do this for two servers when the > originating URL is that of the Apache gateway, i.e > http://ourapacheserverinthedmz.com/us. > > > > Do we create one keytab for http://ourapacheserverinthedmz.com/us and have > this added to the SPNĀ“s for both apache web servers? Or do we simply have one > keytab created for http://ourapacheserverinthedmz.com/us and then have SPN > for our load balancer. > > > > http gateway > > | > > Load balancer > > | > > ----------------------- > > | | > > WS1 WS2 ---------------| > > KDC > > |-------------------------------| > > > > Cheers > > Albert > > *********************************************************************************** > > *********** > > IMPORTANT: This message is intended exclusively for information purposes. It > cannot be considered as > > an > > official OHIM communication concerning procedures laid down in the Community > Trade Mark Regulations > > and Designs Regulations. It is therefore not legally binding on the OHIM for > the purpose of those > > procedures. > > The information contained in this message and attachments is intended solely > for the attention and use > > of the > > named addressee and may be confidential. If you are not the intended > recipient, you are reminded that > > the > > information remains the property of the sender. You must not use, disclose, > distribute, copy, print or > > rely on this > > e-mail. If you have received this message in error, please contact the sender > immediately and > > irrevocably > > delete or destroy this message and any copies. > > > > *********************************************************************************** > > ***********
Hi Richard and thanks for your help. Things have slightly changed insofar as we have a hack that keeps internal people internal. So the proxy in the DMZ will not be used now for internal people. So now what I have is an apache load balancer, with two apache web servers, both have Kerberos working alone. Do I need to create keytabs for all three servers or just the two apache web servers? Would this be correct webserver1 Apache keytab: - HTTP/ourapacheloadbalancer.com@REALM - HTTP/webserver1.com@REALM webserver2 Apache keytab: - HTTP/ourapacheloadbalancer.com@REALM - HTTP/webserver2.com@REALM I will probably test it for now with just one webserver being servered by the load balancer Many thanks for your help Albert ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
