spn alias

[Michael B Allen]

On Thu, Mar 6, 2025 at 11:45 AM Stefan Kania <stefan at kania-online.de> wrote:

> hi to all,
> is it possible to set an alais for the spn? We still having the problem
> doing  kerberos authentication through a loadbalancer. We created a
> principal for the loadbalancer and a keytab. We then added the key to
> the ldap-keytab file, so we are having both, the ldap key for the server
> and the ldap key for the loadbalancer in one file. This file we use as
> keytab for the ldap-server. the client connets to the loadbalancer (with
> ldapsearch) and we are getting "err=49" and the log is showing that the
> spn is wrong. So we think with an alias for the spn for the loadbalancer
> it might work. Or is there any other way to get the
> kerberos-authentication through the loadbalancer?
>

Hi Stefan,

How are you load balancing LDAP exactly?

The most common way to load balance LDAP is to use SRV records.
Clients pick a server based on SRV record priority and weight.

An SPN /is/ an alias for an account + secret so, no, I would not say you
can have an alias for an SPN.

Each service instance should have a unique DNS hostname with a unique SPN
that probably refers to different accounts but it is common to have
multiple SPNs reference the same account (albeit usually for different
schemes).

If your load balancing is more like a reverse proxy arrangement, that would
mean clients are all using the same exact SPN which means each endpoint
must use the same account + secret and thus the same key. This sounds like
your point-of-failure.

But I'm no expert on such things. I have never load balanced LDAP in any
way other than the usual SRV record method.

If you explain your architecture in a little more depth, you might get a
better answer.

Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>