Kerberos behind load balancer?

Kasundra, Digant digant at uta.edu
Wed Oct 6 14:04:45 EDT 2004


Jason can correct me if I'm wrong, but the internal politics here would not allow us to do this.  I'm not 100% sure, however.  


-----Original Message-----
From: kerberos-bounces at mit.edu on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:41 PM
To: kerberos at mit.edu
Subject: Re: Kerberos behind load balancer? 
 
>How do you list both in DNS?  Are you implying that in DNS you only have
>(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
>KDCs in the krb5.conf.  If so, the app then randomly picks a KDC and
>tries that and if that fails, it rolls over to the next?  You then build
>that functionality into each and every app.

That's exactly it.  Although, it doesn't pick one randomly.  It picks
the one with the lower priority in the SRV record, or the first one in
the file.  But ... you don't have to change _a single line_ of code to
do this.  The Kerberos library does all this for you automagically
(this is true of the "Big Three" of Kerberos implementations: MIT,
Heimdal, and Microsoft).  Speaking as someone who's written their fair
share of Kerberos code, I can say this with some confidence (there isn't
actually a supported way to say, "Send my request to KDC X" - the library
makes that decision for your).

--Ken
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list