Big IP with APM SSO and issues with reverse DNS
Hi folks, we're experimenting with replacing our ISA servers with our Big IPs but we'ee running into issues with the way it does Kerberos SSO.
In a scenario where we're doing Kerberos SSO, there comes a time when the Big IP needs to specify a SPN to use when contacting the remote host where we're directing traffic. From what we can read in F5's documentation and from what we've observed in the field, the SPN is dynamically generated from the reverse DNS lookup performed on the IP of the destination.
The problem with this approach is that say I have a web site http://www.mysite.mycompany.com and that site runs under the domain account ServiceAccount@mycompany.com and the spn http/mysite.mycompany.com is set on the domain account. That site is hosted on host host1.mycompany.com. Then the big IP will take the IP of host1.mycompany.com and try to fetch a ticket with a SPN of http/host1.mycompany.com which of course is not a valid SPN in our scenario. And what happens in a load balanced scenario where I have host1 and host2 in a farm configuration...
We know (through successful testing) that the SPN pattern field in the SSO profile is there to adress that issue but this will "lock" the SSO profile to that URL hence leaving me with the not no elegant solution of having one SSO profile per URL. I'd really like to avoid that.
We could fool around with in-addr.arpa and change the reverse lookup for that host to resolve to mysite.mycompany.com but that doesn't scale at all and it breaks down if host1.mycompany.com has multiple web sites running on it.
I've read that 11.6 boast a "new" feature where you can have a dynamic pool member where you can type a FQDN instead of the IP adress, we're presently running 11.4 but if we upgrade, is the SPN generation still the same (using reverdns on the ip)? One would think that if you go through the "trouble" of specifying a FQDN as a pool member then should you not use that name as the SPN?
I'm guessing we could also work this issue on the Active Directory side of things making it so that the "wrong" SPN hands up resolving to something valid... maybe by setting a HOST spn and then delegate that to the Domain account SPN, But I fear we'll quickly run into unique name constraints on the Kerberos side of things.
So what are our options here, has anybody dealt with this? It seems pretty basic of a problem but our limited experience with the Big IP is preventing us from seeing the solution here!
Thanks in advance for all your help and sorry for long read :)