Kerberos behind load balancer?

Kasundra, Digant digant at
Wed Oct 6 14:04:45 EDT 2004

Jason can correct me if I'm wrong, but the internal politics here would not allow us to do this.  I'm not 100% sure, however.  

-----Original Message-----
From: kerberos-bounces at on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:41 PM
To: kerberos at
Subject: Re: Kerberos behind load balancer? 
>How do you list both in DNS?  Are you implying that in DNS you only have
>(for instance) and and list both machines as
>KDCs in the krb5.conf.  If so, the app then randomly picks a KDC and
>tries that and if that fails, it rolls over to the next?  You then build
>that functionality into each and every app.

That's exactly it.  Although, it doesn't pick one randomly.  It picks
the one with the lower priority in the SRV record, or the first one in
the file.  But ... you don't have to change _a single line_ of code to
do this.  The Kerberos library does all this for you automagically
(this is true of the "Big Three" of Kerberos implementations: MIT,
Heimdal, and Microsoft).  Speaking as someone who's written their fair
share of Kerberos code, I can say this with some confidence (there isn't
actually a supported way to say, "Send my request to KDC X" - the library
makes that decision for your).

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list