Hi Folks
I was wondering if anyone could help with the configuration of kerberos in an apache load balanced environment
We have an external apache http gateway in the DMZ and an Apache load balancer in the Back Office. The gateway is set up to proxypass requests for an internal address to the http gateway in the DMZ. So if a user goes to http://ourapacheserverinthedmz.com/us they will be proxypassed to our load balancer using the gateways FQDM
This preserves the FQDN in the DMZ and masks the internal addresses of our load balancer and two Apache web servers.
We have Kerberos working on one server, when the LB is shut down. To do this we got our Windows techies to create a service principle for http://webserver1.com and a corresponding keytab.
This works fine if we access the server directly via its own URL, i.e http://webserver1.com, but how do we do this for two servers when the originating URL is that of the Apache gateway, i.e http://ourapacheserverinthedmz.com/us.
Do we create one keytab for http://ourapacheserverinthedmz.com/us and have this added to the SPN´s for both apache web servers? Or do we simply have one keytab created for http://ourapacheserverinthedmz.com/us and then have SPN for our load balancer.
http gateway
|
Load balancer
|
-----------------------
| |
WS1 WS2 ---------------| KDC
|--------------------------|
Cheers
Albert