Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1146
Views
0
Helpful
3
Replies

Web servers Load Balancing and Integrated Windows Authentication

yves.haemmerli
Level 1
Level 1

‎08-12-2003 07:04 AM

Web servers providing authenticating pages are load-balanced by a CSS. A VIP is representing the server farm. When a client wants to access an authenticated page, the client communicates with the Kerberos server (in the AD server) to get a ticket for the service. Because the CSS is not registered in the Active Directory like a web server would, no ticket can be delivered to the client and the authentication fails.

Does someone have a similar environment ? what must be done (probably not a CSS issue in fact) to make this work ?

Thank you for any hints

Yves Haemmerli

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-13-2003 05:18 AM

you could do stickyness through HTTP redirection on the CSS.

So, the CSS will actually redirect the connection to the VIP to a real server.

The browser will close the connection to the VIP and open a new one directly to the real server.

Then your Kerberos issue is solved.

However, it requires you real servers to be directly accessible and also you would have potentially a problem if users bookmark connection directly to real servers.

That's the only solution I can think of.

Gilles.

0 Helpful

yves.haemmerli
Level 1
Level 1
In response to Gilles Dufour

‎08-13-2003 06:37 AM

Hi Gilles,

Thank you very much for your answer. Actually, I think the problem is a little bit different. The kerberos server is not delivering a "grant" ticket to the client for the service provided by the VIP, because the CSS didn't register to the Active Directory, as a normal W2K web server would. The first thing the client does when he wants to access a web server behind the CSS is to ask the kerberos server for a "gtanting" ticket for that service. So the problem arise before the client sends any packet to the CSS (therefore I think it is more a Microsoft problem rather than a CSS problem).

But for sure, other people have this environment I suppose...

What is your opinion on this ?

Yves

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to yves.haemmerli

‎08-18-2003 01:02 AM

I could not find a single person in Cisco who tested this.

But one person suggested to do L2 loadbalancing (not ip nat) and have a loopback configured on the the real server that is the same as the VIP ip address and finally, the servers will register this loopback address with the KDC.

Not sure if it will work but that's the only solution we could think of.

Gilles.

0 Helpful

Review Cisco Networking for a $25 gift card

Top