On Fri, Aug 21, 2020 at 08:04:24PM -0400, Rita wrote: > hi > > The webserver has DNS aliases but not multiple IPs. On a client level is it
(temporarily) forcing the name to resolve to just a single IP, e.g., via /etc/hosts, would be one possible diagnostic measure. > possible to disable the reverse lookup? I am not sure if its backed up a See the 'rdns' keyword at http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults > pool of servers -- is there a way to find out from a client? In general, no; one can make inferences from careful inspection of response headers, request/response timing for exchanges that require server-side state, and the like, but it may require some expertise to interpret the results. -Ben > On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote: > > > I created a user keytab. I use curl to authenticate against a web server. > > > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am > > > trying to figure out if its a webserver issue or kerberos issue. Is there > > > anything else I can do? > > > > There's (at least) a couple things that can come into play for this sort of > > scenario (not least because HTTP Negotiate violates some fundamental > > assumptions about message- vs. connection-oriented): > > > > Does the web server's hostname have multiple IP addresses in the DNS? (Is > > reverse DNS used for principal canonicalization by the krb5 library? The > > default is "yes" in many versions.) > > > > Does the web server have a pool of backend servers behind a load balancer? > > > > -Ben > > > > > -- > --- Get your facts first, then you can distort them as you please.-- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos