Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Load Balancing and Kerberos

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 729 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boujid
      last edited by

      Hello

      we are using PfSense as LoadBalancer for 2 web proxies
      pfsense WAN 192.168.2.1,pfsense LAN 192.168.1.1
      the virtual IP for LoadBalancer is 192.168.2.2 = proxy.domain.com, the pool contains 192.168.1.11/12
      NAT is configured 192.168.1.11/12 <-> 192.168.2.11/12
      proxy1.domain.com = 192.168.2.11
      proxy2.domain.com = 192.168.2.12

      end users using "proxy.domain.com" as proxy in their web browsers
      all is working well

      our goal : use proxies authentication
      –-----------------------------------------
      --> users opening session with their domain accounts must have a transparent Internet access without the need to authenticate

      our problem

      once authentication enabled, (we joined our web proxies to our active directory) windows users still working well, linux users having the problem (the authentication window appear even if their sessions are domain sessions)
      our Linux computers are also domain members, we are using centrify express

      the problem is that windows computers are using ntlm/kerberos authentication, while linux computers are using only kerberos authentication

      if we configure web browsers of Linux users with (192.168.2.11 or 12 or proxy1.domain.com or proxy2), the Internet access works great, it's transparent without the need of authentication

      configuring web browsers of Linux users with (192.168.2.2 or proxy.domain.com) won't work and the authentication window appear

      if the load balancer IP/Dns name is used for web browsers, they try to authenticate against this IP/Dns name and not against the IP/Dns name of web proxies.
      and as the load balancer IP/Dns name are not domain member, the authentication window appear

      is there any solution to still use PfSense Load Balancer and make it work ?

      we really don't want  to use balancing through proxy.pac because it's static

      Thank you

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.