Load Balancing and Kerberos
-
Hello
we are using PfSense as LoadBalancer for 2 web proxies
pfsense WAN 192.168.2.1,pfsense LAN 192.168.1.1
the virtual IP for LoadBalancer is 192.168.2.2 = proxy.domain.com, the pool contains 192.168.1.11/12
NAT is configured 192.168.1.11/12 <-> 192.168.2.11/12
proxy1.domain.com = 192.168.2.11
proxy2.domain.com = 192.168.2.12end users using "proxy.domain.com" as proxy in their web browsers
all is working wellour goal : use proxies authentication
–-----------------------------------------
--> users opening session with their domain accounts must have a transparent Internet access without the need to authenticateour problem
once authentication enabled, (we joined our web proxies to our active directory) windows users still working well, linux users having the problem (the authentication window appear even if their sessions are domain sessions)
our Linux computers are also domain members, we are using centrify expressthe problem is that windows computers are using ntlm/kerberos authentication, while linux computers are using only kerberos authentication
if we configure web browsers of Linux users with (192.168.2.11 or 12 or proxy1.domain.com or proxy2), the Internet access works great, it's transparent without the need of authentication
configuring web browsers of Linux users with (192.168.2.2 or proxy.domain.com) won't work and the authentication window appear
if the load balancer IP/Dns name is used for web browsers, they try to authenticate against this IP/Dns name and not against the IP/Dns name of web proxies.
and as the load balancer IP/Dns name are not domain member, the authentication window appearis there any solution to still use PfSense Load Balancer and make it work ?
we really don't want to use balancing through proxy.pac because it's static
Thank you