Hello The solution to the problem was quite simple. The principalname I had in the keytab file was the virtual name of the webservice used by the loadbalancer. This was wrong. I had to choose the name used in the URL which is a DNS alias to the VIP.
Cheers, Pedro > -----Ursprüngliche Nachricht----- > Von: lvs-users-boun...@linuxvirtualserver.org [mailto:lvs-users- > boun...@linuxvirtualserver.org] Im Auftrag von Huesser Peter > Gesendet: Freitag, 5. Februar 2010 18:26 > An: LinuxVirtualServer.org users mailing list. > Betreff: Re: [lvs-users] SSO (single sign on) problem with loadbalancer > > The funny thing is that no packages are send to the Kerberos server if > I > contact the VIP. Contacting the real server immediately initiates some > communication with the Kerberos server. I already thought it could be a > problem with the loopback interface for the VIP one has to configure on > the real servers to make direct routing working. But maybe I am > completely wrong. I already checked the Kerberos configuration and the > keytab files. For me they look fine. > > Do you mean it should in principle work so sso and loadbalancing does > not bite each other? > > Pedro > > > Von: lvs-users-boun...@linuxvirtualserver.org [mailto:lvs-users- > > boun...@linuxvirtualserver.org] Im Auftrag von Graeme Fowler > > Gesendet: Freitag, 5. Februar 2010 13:00 > > An: LinuxVirtualServer.org users mailing list. > > Betreff: Re: [lvs-users] SSO (single sign on) problem with > loadbalancer > > > > On Fri, 2010-02-05 at 10:23 +0100, Huesser Peter wrote: > > > None of this works. Connecting directly to the host sso works fine > if > > I > > > use the first or third keytab file but connecting via loadbalancer > > does > > > not work. So I have two questions: > > > > > > - Does somebody has a similar situation which works? > > > - If yes: any ideas what could be wrong in my settings? > > > > It sounds like the load-balanced service isn't aware that it has a > > "virtual" hostname. If the tickets with the server hostnames work, > but > > the one with the virtual hostname as the SPN doesn't, then the > > application or server(s) aren't aware of the virtual SPN. > > > > This is almost certainly a kerberos mapping problem, rather than an > LVS > > one. > > > > Graeme > > > > > > _______________________________________________ > > Please read the documentation before posting - it's available at: > > http://www.linuxvirtualserver.org/ > > > > LinuxVirtualServer.org mailing list - lvs- > us...@linuxvirtualserver.org > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users