Jump to content
Welcome to our new Citrix community!

Citrix ADC set preferred Domain Controllers for Kerberos Ticketing


Julian Jakob

Recommended Posts

Hello,

 

I'm using Kerberos on ADC.

Having about 10 Domain Controllers around the globe, is it possible to limit preferred DCs on ADC to ask for Kerberos ticketing? I thought these are the same as configured for DNS / LDAPS, but it isn't. In KCD Log ADC is asking all DCs (because of the DNS tcp.kerberos realm) and Firewall restricts to have access only to 2 DCs on the same DataCenter as the ADCs are.

 

Fri Jan  7 23:22:27 2022
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Fri Jan  7 23:22:27 2022
 krbhst.c[447]: srv_get_hosts searching DNS for realm contoso.com tcp.kerberos -> 0
Fri Jan  7 23:22:27 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC01.contoso.com in realm contoso.com
Fri Jan  7 23:22:28 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host DC02.contoso.com in realm contoso.com
Fri Jan  7 23:22:29 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host adsrv21.contoso.com in realm contoso.com
Fri Jan  7 23:22:30 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host adsrv12.contoso.com in realm contoso.com
Fri Jan  7 23:22:31 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host adsrv22.contoso.com in realm contoso.com
Fri Jan  7 23:22:32 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host adsrv11.contoso.com in realm contoso.com
Fri Jan  7 23:22:33 2022
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host adsrv02.contoso.com in realm contoso.com
Fri Jan  7 23:22:33 2022
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'contoso.com' using protocol 1
Fri Jan  7 23:22:33 2022
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm contoso.com = 0
Fri Jan  7 23:22:33 2022
 nskrb.c[2069]: ns_kgetcred krb5_get_creds returned 0, svcname HTTP/WebApp.contoso.com@contoso.com, impersonate str NULL, deleg /var/krb/s4u_0_2bd90eea811a20d3aa95036f822eccc3 outcache /var/krb/tgs_0_d592815c2d16dad4b7f6fd5dbc02a559

 

 

Impact to User is, during login there are delays about 6-10 seconds to wait, till the correct DCs are requested for ticketing and the requested WebApp continues doing SSO.
Deleting KCD TCP entries in DNS isn't an option, as other software / appliances using Kerberos on other DCs on their responsible DataCenters. 

 

Thanks for any ideas

Best Regards

Julian

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...