http connection problems with kerberos authentication using Cisco ACE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2012 07:43 AM
Does anyone know how this problem can be solved?
https://supportforums.cisco.com/thread/133381
Regards,
Hesham
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2012 05:47 PM
Hesham,
Easy fix
Create a HTTP parameter map, and assign it to the class in the service-policy.
parameter-map type http HTTP
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
policy-map multi SLB
class VIP
poli ..
load ..
blah blah
appl-parameter http advanced-options HTTP
Basically, this is what happens:
The kerberos ticket is too big to fit in the HTTP header. Thats, it's to big for ACE, which caps the header size at 4K by default.
Try before you buy test:
Create an user within Active Directory, and only assign it to the bare minimum of security groups.
Then try accessing the website, before applying the configuration.
Cheers mate,
Søren Elleby Sørensen
