How do I configure IWA Direct in a load balancing/failover scenario?

Solution

Overview

In a standard IWA Direct Kerberos deployment, the Kerberos service principal name (SPN) of the appliance is the appliance’s own Active Directory machine account name. However, in a load balancing configuration, multiple ProxySGs must be able to decrypt the service tickets from the clients. For this reason, all ProxySGs in a load balancing group must share the same SPN. This will not work if each appliance uses its own machine account to process Kerberos authentication requests. In this case, you must create a new Active Directory account and use it to create a SPN that can be used by all appliances in the group.

Cause
Resolution
To deploy Kerberos in this configuration you must:
 
  1. Set up a load balancing device in front of your appliances and designate a virtual IP address to use for all explicit proxy request. The load balancing device will then forward the requests to the ProxySGs in the group based on the load balancing rules you have defined.
  2. Create a DNS entry for the device that resolves to this IP address. Note that the DNS name that you use must not map to an existing machine account name in Active Directory or the ProxySG appliance will not be able to authenticate Kerberos service tickets and authentication will fail.
  3. Create an Active Directory account for the Kerberos load balancing user. This account does not need any special privileges. You will create the SPN using this account and the ProxySG appliances will use the account credentials to decrypt the service tickets from clients.
  4. Use the Active Directory account you just created to create an SPN for the for the load balancing group as follows:
    1. Open a command prompt as administrator on the Domain Controller.
    2. Enter the following command:

      setspn –A HTTP/<Load_Balancer_FQDN> <AD_Account_Name>

      where <Load_Balancer_FQDN> is the fully qualified domain name (FQDN) of the load balancing device and <AD_Account_Name> is the name of the Active Directory user you created for the load balancing group. Note that this command is case-sensitive.

      For example, if the FQDN of the load balancing device is lb.acme.com and the Active Directory account name you created is KerberosLBUser, you would enter the following command:

      setspn –A HTTP/lb.acme.com KerberosLBUser

      Do not assign the same SPN to multiple Active Directory accounts or the browser will fall back to NTLM without providing any warning or explanation. To list all SPNs that are currently registered on an account, use the setspn -L <AD Account Name> command. If you find a duplicate, remove the extraneous SPN using the setspn -D <SPN> command.
       
  5. On each ProxySG, create an IWA Direct realm (see 000010216 for details). When configuring the realm on each appliance, you must provide the credentials for the AD Kerberos load balancing user you created. On the IWA Servers tab click Set credentials, enter the AD account User name and Password, and then click OK.  

  6. Configure the client browser explicit proxy settings to point to the FQDN of the load balancing device.

 

 

NOTE:

In some cases, you want to use ProxySG appliance IP as the value for Proxy IP.
SG will indicate below exception when you set your browser's ProxyIP as real SGIP because ProxySG expect access from load-balancer(lb.acme.com).

Appliance Error(Configuration_error)
Your request could not be processed because of a configuration error:
"Either the realm has been
configured to use the wrong Kerberos service principal, or the SG has the wrong password for the principal."

For assistance, contect your network support team.

You need setup below to avoid this case.

1.Create a new DNS entry for the ProxySG interface IP that you want to use internet access.
   After this operation you will have 2 DNS entry for Proxy access in DNS server.
   This is example for DNS entry's
 a. for load balance                     :lb.acme.com
 b. for ProxySG interface IP        :direct.acme.com

2.Add IWA Direct realm for real ProxySG inteface IP.
 [Note]You don't need input "set credential" for real ProxySG interface IP.

3.Add new HTTP proxy port for real ProxySG interface IP for internet access.
 This operation is very important when you want to use real ProxySG interface IP for internet access without error exception.
 Please set new HTTP proxy port number in your browser's proxy port if you want to use direct access via ProxySG IP without load balancer.

 For example:
 Add new http port as 8888 for real ProxySG interface IP use for as internet access.
 Then change your browser's proxy IP as real ProxySG interface IP and port 8888.
 After setup, your browser use as port 8888 for internet via ProxySG without error exception.

 The Port number 8888 is just example, you can also add another not using port.

  4.Add real ProxySG interface IP access policy into Web Authentication Layer.
  You may have one of policy for load-balancer access.
  Please add new policy before current load-balancer policy.
   a. Click Add rule on Web Authentication Layer  
   b. Right click in "Source" and select "set"
   c. Click new and select "Proxy IP Address/Port..."
     IP Address    : SGIP(192.168.1.100)
     Port                 : 8888

This is image

 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4808
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat