Jump to content
Welcome to our new Citrix community!

SSL_TCP LDAPS VIP doesn't work for some clients when I convert DNS record to CNAME for GSLB


Josh Slaney

Recommended Posts

Hello,  I'm implementing GSLB for LDAPS on a pair of VIP's that live in multiple datacenters.   The VIP's point to backend AD servers for the LDAPS authentication and are using SSL_TCP to terminate the SSL on the LB.  The certificate is testldap.company.com on the VIP.  Originally I had an A record for testldap.company.com pointing to the IP of one of the VIP everything works fine.  I changed this A record DNS entry to a C Name that points to testldap.gslb.company.com.   A couple of test scenarios:

 

1. The netscalers I have pointed for management auth to testldap.company.com work correctly after the CNAME record change.  I was able to successfully steer the traffic to one data center or the other by disabling services, ect. This appears to be working as expected.

 

2.  I have a windows domain server that is running a vendor application on it configured to use LDAPS for login.  This does not work when the CNAME record change is made.  Packet captures from the client indicate the 2nd CNAME lookup is happening at the client level.

 

I don't believe I need to have a certificate testldap.gslb.company.com applied to the SSL_TCP VIP because I have never had to do that with any other SSL VIP's that I've turned GSLB on for. Can someone confirm if the 2nd name certificate is needed?

 

The vendor is implying its a Kerberos reverse DNS lookup issue that is occurring, but that's a completely different protocol than LDAPS.  Unless there is a kerberos transaction that is taking place from the backend servers to validate the original LDAPS credentials?

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...