load balancing Kerberos

Greg Hudson ghudson at MIT.EDU
Thu Dec 6 11:36:22 EST 2012


On 12/06/2012 11:18 AM, Jim Green wrote:
> There is a proposal here at Michigan State to put our MIT Kerberos system
> behind our F5 BigIP load balancer.  The idea is to have automatic failover
> to one of our Kerberos slaves for authentication requests, and also to have
> additional flexibility to make changes to the server infrastructure behind
> the F5 invisibly (or less visibly) to users.

You can certainly put Kerberos behind an F5.

Kerberos clients already fail over explicitly to slaves.  Explicit
failover has the advantage that (with proper configuration) clients can
know whether they got an answer from the master or a slave, and can
retry with the master on failure.  That way, if you just changed your
password and the change hasn't propagated to the slaves, you can still
authenticate with the new password.  (Currently MIT krb5 clients only
retry with the master when getting initial tickets with a password.  We
should probably do the same when authenticating with a keytab or when
making a TGS request, to better handle service or TGT key rollovers.)

Doing the failover invisibly should work fine for successful cases, but
will defeat the retry-with-master logic if there is any significant
propagation delay in your KDC architecture.



More information about the Kerberos mailing list