Load Balancing and Kerberos



  • Hello

    we are using PfSense as LoadBalancer for 2 web proxies
    pfsense WAN 192.168.2.1,pfsense LAN 192.168.1.1
    the virtual IP for LoadBalancer is 192.168.2.2 = proxy.domain.com, the pool contains 192.168.1.11/12
    NAT is configured 192.168.1.11/12 <-> 192.168.2.11/12
    proxy1.domain.com = 192.168.2.11
    proxy2.domain.com = 192.168.2.12

    end users using "proxy.domain.com" as proxy in their web browsers
    all is working well

    our goal : use proxies authentication
    –-----------------------------------------
    --> users opening session with their domain accounts must have a transparent Internet access without the need to authenticate

    our problem

    once authentication enabled, (we joined our web proxies to our active directory) windows users still working well, linux users having the problem (the authentication window appear even if their sessions are domain sessions)
    our Linux computers are also domain members, we are using centrify express

    the problem is that windows computers are using ntlm/kerberos authentication, while linux computers are using only kerberos authentication

    if we configure web browsers of Linux users with (192.168.2.11 or 12 or proxy1.domain.com or proxy2), the Internet access works great, it's transparent without the need of authentication

    configuring web browsers of Linux users with (192.168.2.2 or proxy.domain.com) won't work and the authentication window appear

    if the load balancer IP/Dns name is used for web browsers, they try to authenticate against this IP/Dns name and not against the IP/Dns name of web proxies.
    and as the load balancer IP/Dns name are not domain member, the authentication window appear

    is there any solution to still use PfSense Load Balancer and make it work ?

    we really don't want  to use balancing through proxy.pac because it's static

    Thank you


Log in to reply