Kerberos behind load balancer?
Frank Cusack
fcusack at fcusack.com
Wed Oct 6 16:31:52 EDT 2004
On Wed, 6 Oct 2004 19:21:19 +0000 (UTC) glavoy at apple.com (Gary LaVoy) wrote:
>>>> The load balancer is simply another failure point.
>>>
>>> As is everything else.
>>
>> However load balancers are complicated devices and more prone to
>> failure.
>
> WHOA! - Yes load balancers can be complicated if you want to use all
> the features, but "prone to failure"?? where do you get that from?
Personal experience.
I have worked with every load balancer on the market, I have not seen
a single one, even in HA mode, that hasn't failed completely at one
time or another. Including netscaler, which Jason indicates they are
using. We tend to be the people that tell the LB people what features
to implement (just like large ISPs tell router vendors what they
need); specifically to Netscaler I personally have worked *very*
closely with them on their feature set. I just mention that to make
it clear that it's not a case of immature/inexperienced network
administration.
Since krb5 can work quite effectively WITHOUT a LB, it simply does not
make sense to add the extra failure point (unless you have to for
other reasons like you can't change DNS).
/fc
More information about the Kerberos
mailing list