LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] SSO (single sign on) problem with loadbalancer

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] SSO (single sign on) problem with loadbalancer
From: "Huesser Peter" <peter.huesser@xxxxxx>
Date: Fri, 19 Feb 2010 09:33:24 +0100
Hello

The solution to the problem was quite simple. The principalname I had in the 
keytab file was the virtual name of the webservice used by the loadbalancer. 
This was wrong. I had to choose the name used in the URL which is a DNS alias 
to the VIP.

Cheers,

Pedro

> -----Ursprüngliche Nachricht-----
> Von: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:lvs-users-
> bounces@xxxxxxxxxxxxxxxxxxxxxx] Im Auftrag von Huesser Peter
> Gesendet: Freitag, 5. Februar 2010 18:26
> An: LinuxVirtualServer.org users mailing list.
> Betreff: Re: [lvs-users] SSO (single sign on) problem with loadbalancer
> 
> The funny thing is that no packages are send to the Kerberos server if
> I
> contact the VIP. Contacting the real server immediately initiates some
> communication with the Kerberos server. I already thought it could be a
> problem with the loopback interface for the VIP one has to configure on
> the real servers to make direct routing working. But maybe I am
> completely wrong. I already checked the Kerberos configuration and the
> keytab files. For me they look fine.
> 
> Do you mean it should in principle work so sso and loadbalancing does
> not bite each other?
> 
> Pedro
> 
> > Von: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:lvs-users-
> > bounces@xxxxxxxxxxxxxxxxxxxxxx] Im Auftrag von Graeme Fowler
> > Gesendet: Freitag, 5. Februar 2010 13:00
> > An: LinuxVirtualServer.org users mailing list.
> > Betreff: Re: [lvs-users] SSO (single sign on) problem with
> loadbalancer
> >
> > On Fri, 2010-02-05 at 10:23 +0100, Huesser Peter wrote:
> > > None of this works. Connecting directly to the host sso works fine
> if
> > I
> > > use the first or third keytab file but connecting via loadbalancer
> > does
> > > not work. So I have two questions:
> > >
> > > - Does somebody has a similar situation which works?
> > > - If yes: any ideas what could be wrong in my settings?
> >
> > It sounds like the load-balanced service isn't aware that it has a
> > "virtual" hostname. If the tickets with the server hostnames work,
> but
> > the one with the virtual hostname as the SPN doesn't, then the
> > application or server(s) aren't aware of the virtual SPN.
> >
> > This is almost certainly a kerberos mapping problem, rather than an
> LVS
> > one.
> >
> > Graeme
> >
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-
> users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>