CSS and MS Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2004 09:48 AM
Does anyone have real life config examples that enable active directory authentication across a CSS?
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2004 07:32 AM
The obvious follow on question since nobody has answered the first:
Is this even possible? Will the CSS allow MS AD authentication? If so, can anyone give me an example config?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2004 01:03 PM
I would think that it is can be LB at layer 4 like any other TCP/UDP transaction. Try creating a content rule for it and adding the services to it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2004 01:12 PM
Do you mean something like this?
It doesn't work.
!*************************** GLOBAL
ip route 0.0.0.0 0.0.0.0 10.0.1.1 1
!************************** CIRCUIT
circuit VLAN1
ip address 10.0.1.65 255.255.255.0
!************************** SERVICE
service app1
ip address 10.0.1.67
active
service authentication
ip address 10.0.2.31
active
!*************************** OWNER
owner one
content app
add service app1
add service authentication
active
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2004 12:07 AM
HI Ben,
well in your content is the Virutal missing which is addressed. basicaly there are in my opinion sevearl issues which have to be thought about. MS AD is as far as I know LDAP based with soe specials done by MS. The thing which has to be checked is if NAT is a problem as the IP-Address which the client uses (the VIP) will be natted on the real address of the server. Another issue is the fact that the return flow has to pass the CSS when coming from the server heading towards the server. Additionally stickiness might kick in too.
Hope that helped...
Kind regards,
Joerg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2004 09:07 AM
The VIP address (natting) will break AD. That is why I avoided using a VIP address.
There doesn't seem to be anything in Cisco's documentation/white papers addressing this yet. If someone has figured this out I would be grateful for their help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2004 05:29 AM
The obvious solution here (not sure why I missed it) was to create a one arm configuration.
