Kerberos behind F5 load-balancer

Question

We have two kerberos server (freeipa), they are on private address and now we want to expend service to public so planning to put them behind F5 so i get high availability and protection too, But having hard time to make kerberos happy behind F5 because now client talking to F5 VIP with different hostname and later it's getting NATed down to server, I have added f5 vip SPN&nbsp;in kerberos so it will trust VIP but still no luck i am getting following error in logs now
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
i have added krb5.conf
allow_weak_crypto = yes
but still client not authenticating.

stanislas_piro2 · Answer

Hi,&nbsp;
you can create a DNS PTR record. if VIP is 10.20.30.40 and application SPN is HTTP/myapp.company.com, create the following DNS record:&nbsp;
40.30.20.10.in-addr.arpa.INPTR myapp.company.com&nbsp;

Forum Discussion

Kerberos behind F5 load-balancer

1 Reply

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

NGINXaaS for Azure: Load Balancing

What is Load Balancing?

Load Balancing WebSockets

Deploying F5 BIG-IP with Azure Cross-region load balancer