Kerberos in a Proxy/Load Balancer/ Weblogic Cluster

Recently one of my colleague pointed out that I did not cover few aspects of Kerberos configurations in an earlier post. He had few queries such as how should he set the service principal name if a proxy is there in front of Weblogic Server. Or for that matter if there is a cluster of Weblogic Server.

Here are the answers.

If the proxy server is on the same machine as WLS, then the steps remain the same (outlined in an earlier post). The Kerberos ticket will be propagated to WLS.

If it’s in a different machine, then both the proxy url and the WLS url should be registered with WLS.

e.g.

WLS Server Machine: beaiis
Proxy Server Machine: beaproxy

setspn -a HTTP/ beaiis.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then configure your client browser with the proxy server url.

For a cluster of Managed servers running on different machine.

WLS Server Machine1 : beaiisone
WLS Server Machine2 : beaiistwo
WLS Server Machine3 : beaiisthree
Proxy Server Machine :beaproxy

Then we have to register all the urls with the KDC

setspn -a HTTP/ beaiisone.BEATEST.COM beawin
setspn -a HTTP/ beaiistwo.BEATEST.COM beawin
setspn -a HTTP/ beaiisthree.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then verify

setspn -L beawin
Registered ServicePrincipalNames for CN=beawin,CN=Users,DC=BEATEST,DC=COM

HTTP/beaproxy.BEATEST.COM
HTTP/beaiisone.BEATEST.COM
HTTP/beaiistwo.BEATEST.COM
HTTP/beaiisthree.BEATEST.COM

Each Server will have the same keytab and krb5Login.conf file, preferably copied to the domains directory on all machines. And in the Client browser the local internet setting should have the proxy url.