Kerberos in a Proxy/Load Balancer/ Weblogic Cluster

Recently one of my colleague pointed out that I did not cover few aspects of Kerberos configurations in an earlier post. He had few queries such as how should he set the service principal name if a proxy is there in front of Weblogic Server. Or for that matter if there is a cluster of Weblogic Server.

Here are the answers.

If the proxy server is on the same machine as WLS, then the steps remain the same (outlined in an earlier post). The Kerberos ticket will be propagated to WLS.

If it’s in a different machine, then both the proxy url and the WLS url should be registered with WLS.


WLS Server Machine: beaiis
Proxy Server Machine: beaproxy

setspn -a HTTP/ beaiis.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then configure your client browser with the proxy server url.

For a cluster of Managed servers running on different machine.

WLS Server Machine1 : beaiisone
WLS Server Machine2 : beaiistwo
WLS Server Machine3 : beaiisthree
Proxy Server Machine :beaproxy

Then we have to register all the urls with the KDC

setspn -a HTTP/ beaiisone.BEATEST.COM beawin
setspn -a HTTP/ beaiistwo.BEATEST.COM beawin
setspn -a HTTP/ beaiisthree.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then verify

setspn -L beawin
Registered ServicePrincipalNames for CN=beawin,CN=Users,DC=BEATEST,DC=COM


Each Server will have the same keytab and krb5Login.conf file, preferably copied to the domains directory on all machines. And in the Client browser the local internet setting should have the proxy url.


  1. Hi,

    I have followed the above instructions.

    My user has registered spn of the managed servers and the load balancers

    The server setup is exactly the same

    If I access the server I sso in

    If I go via the load balancer I can not sso in

    Any ideas/pointers?


    1. Hello james,

      i was googling to find a solution to a similar problem that you mentioned in this post. i knpw that its been quite long time since you posted the problem you were seeing.

      i have the same issue – my SSO configuration works perfectly well on the servername url whereas it doesn’t work on the load balancer url. this Load balancer url is a registered SPN.

      Do you recall what you did to fix this.

      Thanks in advance.

Comments are closed.