cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2705
Views
0
Helpful
3
Replies

ACE module - http connection problems with kerberos authentication

wilger1976
Level 1
Level 1

To use single-sign-on on an internal web based application, we use kerberos (ISS with windows integrated authentication) over a CSS11503 loadbalancer, and it works perfectly.

Now I test the same environment, instead the CSS I use a ACE module (we need the cookie-stickiness feature) and I get errors, missing website parts, pictures, etc

When I change the authentication from Kerberos to NTLM or base64, I get no errors.

I hope someone has any ideas that can solve this problem

Best regards

Gerhard

3 Replies 3

sachinga.hcl
Level 4
Level 4

Hi Gerhard,

As you know Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Although it is a widely used protocol, it has the following drawbacks:

1. Kerberos requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.

2. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.

3. The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244.

4. Since the secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys.

5. A compromised client will compromise the user's password.

Can you please check if the clock time of your ACE module is properly in sync with the Kerberos Authentication Server.

Kerberos requires that the time between the client and server be within about five minutes. Other authentication devices could also fail when the times are off. It also makes troubleshooting more difficult because the log times are off by an hour.

New U.S. Daylight Savings Times rules go into effect in March 2007. Consequently, customers whose network components rely on the default U.S. summertime clock settings within CSS and GSS software will be affected by the following problem.

For operating systems that have not been updated with the new U.S. DST policy changes, timestamps will exhibit a one hour time clock offset lasting three weeks beginning at 2 A.M. on the second Sunday in March of 2007. They will also exhibit a one hour time clock offset lasting one week beginning at 2 A.M. on the first Sunday in November.

For the CSS 11100 series (EOL):

You can use the clock summer-time command to manually set the correct time via the CLI.

Here is an example:

CSS500-1# clock summer-time PST recurring

CSS500-1# show clock

Date: 01-05-2007

Time: 11:17:35

TimeZone: : +00:+00:+00

[PST begins 04/01/2007 02:00:00]

Summer Time: PST

Change: 60 minutes

Added: First Sunday in April 02:00

Removed: Last Sunday in October 02:00

Similarly you can set the time on ACE module also.

Use the clear kerberos server command to clear a specified key distribution center (KDC) entry on your switch. Hope it will resolve your problem.

Cheers!!

Sachin Garg

Hi Sachin,

Thanks for your information, but the LB works transparent to the web servers, and so I see no Kerberos errors in the web servers event log about time problems.

You're right, if the LB would be a Host system and use Kerberos authentication.

The CSS and the ACE has both different times as the KDC server, and on CSS the connection works.

Now I set the clock on ACE to the same time as the KDC, same problem.

King regards

Gerhard

I am facing the same problem, how was the problem solved?

Regards,

Hesham

Review Cisco Networking for a $25 gift card