Kerberos behind load balancer?

Frank Cusack fcusack at fcusack.com
Wed Oct 6 14:34:04 EDT 2004


On Wed, 6 Oct 2004 12:54:27 +0000 (UTC) jthardy at uta.edu (Jason T Hardy) wrote:
> I can't modify DNS.

Ah, well then that's a crazy restriction (since as a sysadmin, one
with a load balancer at your disposal, you can almost certainly spoof
DNS and make it do what you want anyway.  I doubt you use TSIGs even
internally).  But given that restriction, yeah load balancing sounds
reasonable.

But let's be clear, it doesn't "allow" you to do things as you
described earlier in the sense that you couldn't do them anyway; MIT
krb5 out of the box allows you to do those things.

>> The load balancer is simply another failure point.
>
> As is everything else.

However load balancers are complicated devices and more prone to failure.

/fc


More information about the Kerberos mailing list