Configuration notes for a load balancer environment
The following notes address the configuration of Windows desktop single sign-on using SPNEGO in an environment with multiple WebSEAL servers operating behind a load balancer.
Conditions:
- Host name used by clients contacting the WebSEAL servers:
lb.example.com
- WebSEAL servers:
- websealA.example.com
- websealB.example.com
- websealC.example.com
- websealD.example.com
- Active Directory domain: MYDOMAIN
General procedures:
- Create a user ID in Active Directory for the various WebSEAL services to run as. For this example, the ID is webseal.
- On the Active Directory server, run the following command:
ktpass -princ HTTP/lb.example.com@MYDOMAIN -mapuser webseal -pass mypassw0rd -out lb_HTTP.keytab -mapOp set
The DNS name specified to the ktpass command must match the DNS name clients use to contact the load balanced WebSEAL servers.
- The following message displays:
>Successfully mapped HTTP/lb.example.com to webseal.
- We must also complete standard SPNEGO configuration for WebSEAL and Internet Explorer as described in the following section:
Ensure that we add lb.example.com to the Internet Explorer Trusted Sites list.
- If you point a browser at http://lb.example.com, we are automatically authenticated to WebSEAL.
Parent topic: Windows desktop single sign-on
Related concepts