cancel
Showing results for 
Search instead for 
Did you mean: 

Windows AD redundancy of authentication (Kerberos)

Former Member
0 Kudos

I have been using the AD authentication.
I use single domain to make redundancy.

※reference:1581958 - Windows AD authentication takes very long time to logon
--------------------
[libdefaults]
default_realm = ABCD.MFROOT.ORG
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
ABCD.MFROOT.ORG = {
kdc = ABCDIR99.ABCD.MFROOT.ORG  ←non-existent domain
kdc = ABCDIR21.ABCD.MFROOT.ORG
kdc = ABCDIR22.ABCD.MFROOT.ORG
kdc = ABCDIR23.ABCD.MFROOT.ORG
default_domain = ABCD.MFROOT.ORG
}
--------------------

In order to test the redundancy, I use a domain not to exist.
But an error(FWM 00006) is output.
Or you can not test in the absence of domain?

denis_konovalov
Active Contributor
0 Kudos

I have fixed your tag, please select more careful next time.

Accepted Solutions (0)

Answers (1)

Answers (1)

BasicTek
Active Contributor
0 Kudos

the bsclogin.conf must have debug=true set at the end of the 2nd line for the kerberos errors to output to the tomcat std.out

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

If the non existent domain is at all reachable (resolves to an IP) then the krb5 will likely timeout trying to communicate with it. If it is really non existent then it should simply skip it and try the next, the multiple KDC's work like round robin.

For real redundancy using SSO via KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070 would be the way to go as that uses DNS instead of the krb5.ini the krb5 is only used for manual logon which currently goes through our java SDK.

-Tim