https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284078#M237208 <HTML><HEAD></HEAD><BODY><SPAN>Hi Loftux, </SPAN><BR /><BR /><SPAN>Have you seen anything to make you think that Apache is not forwarding on the Kerberos ticket?&nbsp; Generally the Kerberos ticket is included in the request from a client in the "Authentication" header, as part of a GSSAPI token, so I don't know if there's anything in Apache that strips this - I assume you're not using auth_mod_kerb since you want Alfresco to do the authentication?</SPAN><BR /><BR /><SPAN>Do you know if you can authenticate with the Alfresco Explorer app using SSO through Apache?&nbsp; I just ask because Share delegates back to Alfresco for Kerrberos authentication and that extra layer of complexity can often have its own issues.</SPAN><BR /><BR /><SPAN>I'd be very interested in if you find a solution for this as I'm in a similar situation currently as well (using hardware load balancer instead of Apache), looking into how we can get&nbsp; SSO to work properly through the load balancer.&nbsp; Similarly we had successfully tested in single server environments and in clustered environments going directly to the server, but we're still having issues with SSO through the balancer.&nbsp; </SPAN><BR /><BR /><SPAN>I have a hunch that our problem at least is to do with aligning the SPNs &amp; associated keytabs on both hosts with the name of the load balanced service rather than the host names, but I'm not sure.&nbsp; </SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><BR /><SPAN>Steven</SPAN></BODY></HTML> Tue, 01 Sep 2015 15:36:03 GMT steven_okennedy 2015-09-01T15:36:03Z https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284077#M237207 I'm setting up a 4.2.4 cluster with two nodes (node1.example.comn, node2.example.com). Each have alfresco and share running.Users access an apache front-end that acts as a load balancer (alfresco.example.com) using Apache.The goal is to have users SSO when accessing the loadbalancer.I've been able t Wed, 10 Jun 2015 08:45:51 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284077#M237207 loftux 2015-06-10T08:45:51Z https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284078#M237208 <HTML><HEAD></HEAD><BODY><SPAN>Hi Loftux, </SPAN><BR /><BR /><SPAN>Have you seen anything to make you think that Apache is not forwarding on the Kerberos ticket?&nbsp; Generally the Kerberos ticket is included in the request from a client in the "Authentication" header, as part of a GSSAPI token, so I don't know if there's anything in Apache that strips this - I assume you're not using auth_mod_kerb since you want Alfresco to do the authentication?</SPAN><BR /><BR /><SPAN>Do you know if you can authenticate with the Alfresco Explorer app using SSO through Apache?&nbsp; I just ask because Share delegates back to Alfresco for Kerrberos authentication and that extra layer of complexity can often have its own issues.</SPAN><BR /><BR /><SPAN>I'd be very interested in if you find a solution for this as I'm in a similar situation currently as well (using hardware load balancer instead of Apache), looking into how we can get&nbsp; SSO to work properly through the load balancer.&nbsp; Similarly we had successfully tested in single server environments and in clustered environments going directly to the server, but we're still having issues with SSO through the balancer.&nbsp; </SPAN><BR /><BR /><SPAN>I have a hunch that our problem at least is to do with aligning the SPNs &amp; associated keytabs on both hosts with the name of the load balanced service rather than the host names, but I'm not sure.&nbsp; </SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><BR /><SPAN>Steven</SPAN></BODY></HTML> Tue, 01 Sep 2015 15:36:03 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284078#M237208 steven_okennedy 2015-09-01T15:36:03Z