KCD Compatibility with Other LoadMaster Features
- Last Updated: December 10, 2024
- 2 minute read
- LoadMaster
- LoadMaster LTSF
- Documentation
There are some compatibility issues with KCD and other LoadMaster features. For further information, refer to the sections below.
KCD Compatibility with the Web Application Firewall
As of the 7.2.40 LoadMaster firmware version, you cannot enable both WAF and KCD at the same Virtual Service level. For example:
- If WAF is enabled in the parent Virtual Service, you cannot enable KCD as the Server Authentication Mode in the parent Virtual Service
- If KCD is enabled in the parent Virtual Service, you cannot enable WAF
However, you can enable ESP/KCD in the SubVS and then enable WAF in the parent Virtual Service.
If you had WAF and KCD enabled at the same level before upgrading to 7.2.40 and you upgrade the firmware to 7.2.40 or above, the configuration will not be changed. File attachments in SharePoint will not work. To resolve this, enable WAF on the parent Virtual Service and ESP/KCD on the SubVS.
The following combination is not supported: WAF with ESP Client Certificate authentication and KCD.
KCD Compatibility with Response Body Modification Rules
Response body rules are not compatible with KCD. If KCD is enabled on a Virtual Service, it is not possible to assign a body rule to it.
KCD Compatibility with NTLM
When using KCD with NTLM, the recommended best practice is to enable NTLM Proxy Mode in the System Configuration > Miscellaneous Options > L7 Configuration settings. NTLM Proxy Mode increases the security of Client Authentication by proxying NTLM Authentication with the Real Server. Authentication is verified by validating that a successful NTLM handshake has taken place with the Real Server before performing the proceeding steps (such as performing the required Server Side Kerberos Authentication where the Server Side configuration is set to KCD). This requires that the Real Server support NTLM Authentication. The legacy “NTLM” user authentication mode verified user credentials through a configured LDAP endpoint. With NTLM Proxy Mode, the Client Side SSO configuration only requires an LDAP endpoint in the case where Permitted Groups or Steering Groups are in use.