Load Balancing and Kerberos

boujid

Hello

we are using PfSense as LoadBalancer for 2 web proxies
pfsense WAN 192.168.2.1,pfsense LAN 192.168.1.1
the virtual IP for LoadBalancer is 192.168.2.2 = proxy.domain.com, the pool contains 192.168.1.11/12
NAT is configured 192.168.1.11/12 <-> 192.168.2.11/12
proxy1.domain.com = 192.168.2.11
proxy2.domain.com = 192.168.2.12

end users using "proxy.domain.com" as proxy in their web browsers
all is working well

our goal : use proxies authentication
–-----------------------------------------
--> users opening session with their domain accounts must have a transparent Internet access without the need to authenticate

our problem

once authentication enabled, (we joined our web proxies to our active directory) windows users still working well, linux users having the problem (the authentication window appear even if their sessions are domain sessions)
our Linux computers are also domain members, we are using centrify express

the problem is that windows computers are using ntlm/kerberos authentication, while linux computers are using only kerberos authentication

if we configure web browsers of Linux users with (192.168.2.11 or 12 or proxy1.domain.com or proxy2), the Internet access works great, it's transparent without the need of authentication

configuring web browsers of Linux users with (192.168.2.2 or proxy.domain.com) won't work and the authentication window appear

if the load balancer IP/Dns name is used for web browsers, they try to authenticate against this IP/Dns name and not against the IP/Dns name of web proxies.
and as the load balancer IP/Dns name are not domain member, the authentication window appear

is there any solution to still use PfSense Load Balancer and make it work ?

we really don't want  to use balancing through proxy.pac because it's static

Thank you