To:
kerberos@mit.edu (
kerberos@mit.edu)
Yeah I saw this also.
From what I've read holistically, Putting your DCs behind a VIP tends to be problematic because the member server name doesn't match the name of the SPN thus it becomes vehemently unhappy.
I suppose you could possibly build an ASA similar to how you do Kerberos with Exchange and try to leverage that but I've read/heard there's a ton of reliability issues and you should just rely on the krb5.conf like:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:750
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
default_domain = mit.edu
Jon Towles
CTO, Synterex
(m) 978-609-5545
-----Original Message-----
From: Robbie Harwood <
rharwood@redhat.com>
Sent: Thursday, February 18, 2021 4:48 PM
To: Jonathan Towles <
jjtowles@synterex.com>;
kerberos@mit.edu
Subject: Re: Load Balancing KCDs
Jonathan Towles <
jjtowles@synterex.com> writes:
Does anyone have experience putting DCs behind a network load balancer
for Kerberos Authentication?
Depending on who you ask, it doesn't really work. I wanted to ask the
group to see if anyone has strong experience in doing it and if it's feasible?
I usually refer to Simo's post on this:
https://ssimo.org/blog/id_019.html
Thanks,
--Robbie
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)