Re: Hardware Load Balence of Kerberos

Haven't tried it, I see lots of potential for failure though unless the loadbalancing hardware has great state management for clients for UDP packets as kerberos is primarily UDP.

As for the crap apps, I have done support in the fortune 5 company realm and have seen my share of them. In ever case we pushed back on the application owners to get their apps corrected by the vendor or otherwise handle the problem themselves. It is silly to try and invent solutions when the one that is already there works well. Also a couple of years ago I ran into considerable issues with Cisco redirection hardware and large kerberos UDP packets, there were several updates that they needed in order to handle things properly as they had a tendency to throw packets away.

Are any of your kerberized LDAP apps working through those load balancers or are they walking around them? I would expect to see that you have far more network traffic than necessary if you are going through them assuming the hardware is handing off to different devices for the same clients. Most of that traffic would be TCP based so the devices could hopefully better handle the state that needs to be maintained.

As for the kerberized devices, I highly recommend looking at the products from Vintela and Centrify as they took most of the headaches out of kerberizing non-Windows devices and their stuff works remarkably well and gives you the same or very similar management as you have for Windows devices as well as the transparency that Windows enjoys in the kerberos world.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================

Geoff wrote:
Joe,

In MOST cases you are correct...BUT....in some cases you are not. In the case of LDAP, take a poorly written app the requires a ip address entered for the LDAP host...or in the Kerberos case, device that depends on a krb5.conf file.....now I know that I could add additional kdc entries to the krb5.conf file, but I don't care to manage that on a large number of devices. So, do you have any information that would address this scenario, or a constructive reply to my original question ?

Thanks !!

Geoff



Joe Richards [MVP] wrote:
You shouldn't have to for LDAP nor Kerberos, there is load balancing and redirection built into the product.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

============================================================================

Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================


Geoff wrote:
Hello everyone

Has any here used a Hardware Load Balancer device such as Cisco Arrowpoint to load balance AD Kerberos? We currently do it for AD DNS and AD LDAP, and I'm investigating doing it for Kerberos as well.

Thanks ,

Geoff
.

Loading