If the same Kerberos realm is used in such a way that some users use the ProxySG appliance host name and some users use the load balancer host name for Kerberos authentication, authentication fails for users using the appliance host name with the following error message:
Either the realm has been configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal.
In other words, this scenario happens if some clients are using a load balancer, and other clients are directly accessing the appliance behind the load balancer.
This is an unsupported configuration. In this configuration the appliance can't decrypt the Kerberos token using its machine account (for appliance host name scenario) and theKerberos load balancer account configured in the appliance authentication realm (for the load balancer host name scenario) at the same time. The solution here is to use two separate Kerberos authentication realms in these circumstances: one for the appliance host name and another one for the load balancer.
Imported Document ID: 000022898
Subscribing will provide email updates when this Article is updated. Login is required.