satish_txt_2254
Aug 14, 2017Cirrus
Kerberos behind F5 load-balancer
We have two kerberos server (freeipa), they are on private address and now we want to expend service to public so planning to put them behind F5 so i get high availability and protection too, But having hard time to make kerberos happy behind F5 because now client talking to F5 VIP with different hostname and later it's getting NATed down to server, I have added f5 vip SPN in kerberos so it will trust VIP but still no luck i am getting following error in logs now
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
i have added krb5.conf
allow_weak_crypto = yes
but still client not authenticating.