NimbostratusKerberos cache conflicts
Long story long...
I have created a VIP that handles PKI user cert to Kerberos. An access policy does cert checks and on completion the SSO Kerberos component does the delegation to pass to pre-emptive application. I am using reverse dns to get the machine name from pool/node ip address and have that set as the SPN on the apps account. In the SSO Kerberos component it uses another account set to delegate to the apps account. All that is working perfectly and has done since day one.
Now I read that I can set a SPN pattern and use %h as a replaceable char for the host entered by the user. I have tried this and it too works perfectly. This is configured on a different SSO Kerberos component using a different AD account for the delegation. It will simplify configuration should the client want to increase the size of the pool as it will not require any new SPNs.
The dilemma is I have created two VIPs one using reverse DNS and one using SPN pattern. When the same user connects to first app that is okay but when they connect to the second app Kerberos lookup fails. If I clear the Kerberos cache using bigstart restart websso they can then connect to the second app okay but not the first.
I have everything in the Common partition.
-
Can I segregate the Kerberos caches by creating a new partition for one of the apps plus components?
-
I have a HA pair and when I create a new partition it doesn't sync to other member. I would be grateful if someone could help with what I need to configure to get the new partition to sync to other unit please?
