When using Kerberos Constrained Delegation as the Server Side Authentication Protocol it is a requirement to create a Server Side SSO domain. This contains all the configuration required to complete authentication on the LoadMaster to server connection.

In the Server Side Single Sign On Configurations section of the Manage SSO screen, on creating the Server Side SSO, you may choose to utilize Use AES256 SHA1 KCD cipher by selecting the checkbox (by default the RC4 cipher is used).

To add a new server-side SSO, enter the name of the SSO configuration and click Add.

Note: The LoadMaster only supports a single KCD server-side SSO configuration.

Authentication protocol

This dropdown allows you to select the transport protocol used to communicate with the authentication server. The only option available for outbound (server side) configurations is Kerberos Constrained Delegation (KCD).

For further information on KCD, please refer to the KCD Feature Description.

Kerberos Realm

The address of the Kerberos Realm.

Note: Colons, slashes and double quotes are not allowed in this field.
Note: This field only supports one address.

Kerberos Key Distribution Center (KDC)

The host name or IP address of the Kerberos Key Distribution Center. The KDC is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.

When you configure a server-side Kerberos Constrained Delegation (KCD) Single Sign On (SSO) domain, you specify details for the domain. As of LoadMaster firmware version 7.2.51, you can specify two Kerberos Key Distribution Centers (KDCs) separated by a space. This provides a backup in case the active KDC becomes unavailable. Prior to version 7.2.51, you could only specify one KDC.

The first KDC you enter becomes active until it fails. KDC availability is checked and if the KDC fails to respond successfully three times, or if it times out for five seconds, the active KDC is switched. There is no automatic fail-back functionality - the second KDC will be active until it becomes unavailable. To switch back to the first KDC if a failover has occurred and the first KDC becomes available again, clear the SSOMGR cache by going to System Configuration > Logging Options > System Log Files > Flush SSO Cache.

When two KDCs are specified, the active Kerberos KDC is shown underneath the Kerberos Key Distribution Center field.

Note: If you enter more than one KDC, the username and password must be the same for both KDCs.
Note: Double and single quotes are not allowed in the Kerberos Key Distribution Center field.

Kerberos Trusted User Name

Before configuring the LoadMaster, a user must be created and trusted in the Windows domain (Active Directory). This user should also be set to use delegation. This trusted administrator user account is used to get tickets on behalf of users and services when a password is not provided. The user name of this trusted user should be entered in this text box.

Note: Double and single quotes are not allowed in this field.

Kerberos Trusted User Password

The password of the Kerberos trusted user.