2 Replies Latest reply on Oct 28, 2007 2:42 PM by Chet Birger

    Active Directory Authentication:  using one keytab w/multiple app servers

      Is it possible to use the same keytab for ADK authentication with multiple app servers?

       

      I'm configuring an environment with multiple app servers. Because they are sitting behind an F5 Big IP load balancer, it would save a lot of headaches if there was one keytab.

       

      In the documentation, you must specify an "instance", which corresponds to the application server. Does it make a difference if the "instance" is set to something else, such as the VIP of the app server?

       

      Here's how ktpass is set in the docs:

       

      ktpass -out blappsvc.keytab

      -princ blappsvc/ +rndPass -minPass 33

      -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

        • 1. Re: Active Directory Authentication:  using one keytab w/multiple app servers
          Bill Robinson

          i think it will work, atleast i've done this accidentially at a customer (new appserver w/ the old keytab while the old appserver was running). the instance name doesn't seem to matter - it doesn't seem to have to match the hostname.

          • 2. Re: Active Directory Authentication:  using one keytab w/multiple app servers

            Using the same bladelogic.keytab file for multiple appservers is allowed, and as you indicated, is necessary if you clients are operating behing a load balancer and are directed to any one of multiple appservers. The keytab file contains the decryption key the appserver requires to decode and authenticate the Kerberos service ticket presented to it by the client. The service ticket is generated by the domain controller, which has no control over which of multiple appservers the client will get directed to.

             

            The instance name can be anything (it is just convention to have it be the domain name of the targeted server). Feel free to specify the virtual IP. Note that is just gets interpreted as a string that is used to index entries in the keytab file.