AltostratusBigIP Kerberos constrained delegation and Web farm servers
SO I have been testing apm and kerberos constrained delegation. It is working in my current setup.
Current setup is:
BigIP LTM/APM version 12.1.3
Windows 7 client machine
An active directory domain
A web application with 2 servers.
Web site is running under an AD service account.
I didn't create the delegation to the web servers. Instead I created the delegation to the web app service account. bigip service account => web app pool account.
Now if I don't put my web site hostname webapp.domain.com = web server ip the setup does not work. If I add webapp.domain.com to the bigip hosts file the setup works. I have 2 servers. So I need to add entries for both servers. Question: is there any better way of doing it without having to put entries in the hosts file. I know dns can be used but the bns entry webapp.domain.com points to the virtual server in this case so that users can reach the site. And I can use only one dns. Why does not the bigip just pick a node in the pool and use it for the delegation. The error in the apm log: Jan 19 11:45:06 F5 err websso.1[17633]: 014d0019:3: /Common/CustomPolicy:Common:e8a77ee0: Kerberos: Failed to resolve IP address: ::ffff:10.0.10.3 If I put the entry webapp.mydomain.com = 10.0.10.3 the delegation succeeds.
