Kerberos authentication fails if both the load balancer host name and the ProxySG appliance host name are used in the same realm

book

Article ID: 168349

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

If the same Kerberos realm is used in such a way that some users use the ProxySG appliance host name and some users use the load balancer host name for Kerberos authentication, authentication fails for users using the appliance host name with the following error message:
 
Either the realm has been configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal.

In other words, this scenario happens if some clients are using a load balancer, and other clients are directly accessing the appliance behind the load balancer.
 

Resolution

This is an unsupported configuration. In this configuration the appliance can't decrypt the Kerberos token using its machine account (for appliance host name scenario) and theKerberos load balancer account configured in the appliance authentication realm (for the load balancer host name scenario) at the same time. The solution here is to use two separate Kerberos authentication realms in these circumstances: one for the appliance host name and another one for the load balancer.