search cancel

Kerberos Authentication and Load balancers

book

Article ID: 190014

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Web Agent behind a Loadbalancer and we'd like to know

if the principal should be the loadbalancer SPN ?

Environment


Web Agent 12.52SP1CR10 on Apache 2.4.41 on RedHat 7;

Resolution


At first glance, yes, when you run a front loadbalancer, the SPN you

should set for the Web Agent is the Loadbalancer one as stated in the
following trouble shooting notes :

Kerberos Troubleshooting

  CA Single Sign-On Agent Configuration Object

    | ACO Option           | ACO Value Format                 | Description                                             |
    |----------------------+----------------------------------+---------------------------------------------------------|
    | HttpServicePrincipal | HTTP/[email protected] | This option is used by the web agent when               |
    |                      |                                  | authenticating to the KDC. It is always in the form     |
    |                      |                                  | HTTP/[email protected] where               |
    |                      |                                  | web-server-name is the name of the web server (as       |
    |                      |                                  | used by the HTTP user agent), and kerberos-             |
    |                      |                                  | realm is the Kerberos realm. For example, there         |
    |                      |                                  | might be multiple web servers behind a load balancer    |
    |                      |                                  | virtual IP. In that case, you would specify the name of |
    |                      |                                  | the load balancer rather than a specific server         |

https://community.broadcom.com/communities/community-home/librarydocuments/viewdocument?DocumentKey=bc3b8de9-fe6a-4394-94b4-4d549a943ab0

According the next following KD, when handling Kerberos Authentication
Scheme, the Policy Server does :

  The sequence of Kerberos Authentication.

  [...]

    7. Policy Server response back to IsProtected() call from WebAgent
       with realm and authentication scheme URL

  [...]

    34. Policy Server read krb5.ini file
    35. GSSAPI retrieves the Policy Server principal’s credentials from
 keytab file
    36. GSSAPI returns the accepted security context
    37. The authentication scheme queries the delegated security token
 for its principal
    38. The authentication scheme verifies the delegated security
 token's principal matches the intended principal

    https://knowledge.broadcom.com/external/article?articleId=14920