High availability for Kerberos authentication

Document ID : KB000047067
Last Modified Date : 14/02/2018
Show Technical Document Details

Follow the below steps to configure Kerberos for high availability of policy server. (ps1.mysite.com ps2.mysite.com)
1. Create service account in the KDC for Policy server
2. Run ktpass for ps1.mysite.com (NOTE FQND must be resolvable in dns forward/reverse)

C:\scripts>ktpass -out policyserver-smps.keytab -princ smps/ ps1.mysite.com @MYSITE.COM -ptype KRB5_NT_PRINCIPAL -mapuser ps-smps@MYSITE.COM -pass firewall -mapOp set crypto all

3. Copy/move the keytab file policyserver-smps.keytab  to proper location on the policy server /etc (Linux) or c:\windows
4. Configure Kerberos authentication scheme for ps1. (NOTE used relative target)

kerberos-authscheme.jpg

 

5. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS1 - need to point to the new keytab file OR policy server key entries written to the existing keytab file using ktutil
6. Copy the same keytab file to the second policy server (ps2.mysite.com)
7. Update Kerberos configuration file (krb5.ini or krb5.conf) on policy server PS2 same as PS1 file
8. Host configuration Object should point to both policy servers

Both Policy server machines will be using same keytab file. The service principal name does not need to be resolved to all the policy server's. The service name should be of one in the group of policy server's that are configured.

On Webserver side, use relative URI – as long as each one is defined it will work similar as forms authentication for high availability setup whether we are using Kerberos or any other authentication.  If you are using a load balancer to access website the FQDN for LB should be used for service principal name in keytab files

Clarification:
ALL policy server should use the same keytab file/entry
WEBSERVER: httpserviceprincipal=’HTTP/webloadbalance.mysite.com@MITESITE.COM’
Policy Server: smpsserviceprincipal='smps@ps1.mysite.com’