Kerberos behind load balancer?

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Oct 6 13:41:15 EDT 2004


>How do you list both in DNS?  Are you implying that in DNS you only have
>(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
>KDCs in the krb5.conf.  If so, the app then randomly picks a KDC and
>tries that and if that fails, it rolls over to the next?  You then build
>that functionality into each and every app.

That's exactly it.  Although, it doesn't pick one randomly.  It picks
the one with the lower priority in the SRV record, or the first one in
the file.  But ... you don't have to change _a single line_ of code to
do this.  The Kerberos library does all this for you automagically
(this is true of the "Big Three" of Kerberos implementations: MIT,
Heimdal, and Microsoft).  Speaking as someone who's written their fair
share of Kerberos code, I can say this with some confidence (there isn't
actually a supported way to say, "Send my request to KDC X" - the library
makes that decision for your).

--Ken


More information about the Kerberos mailing list