Kerberos behind load balancer?

Frank Cusack fcusack at
Wed Oct 6 16:43:34 EDT 2004

On Wed, 6 Oct 2004 19:31:19 +0000 (UTC) jthardy at (Jason T Hardy) wrote:
> I guess the problem that everyone is having with our deployment is the
> term load-balancer. We don't actually want to easy the load off of our

Good, because:

> You'll say that  DNS is the answer. I would agree. The problem is, we
> don't have access, or support from the folks controlling our DNS, to add
> the SRV records which would simplify the whole mess. Since we already
> have a load balancing switch (NetScaler) around for other purposes,
> we're trying to use it in place of doing things properly. :-)

The netscaler can only do 325k UDP qps, and this is the big netscaler
(9900) without any other load on it.  So putting a netscaler in front
of your KDCs actually reduces service capacity.

Availability, as mentioned earlier, is already dealt with quite well
in the libraries.  (But really requires the ability to play with DNS.)


More information about the Kerberos mailing list