This article relates to LoadMaster firmware version 7.2.51.
When you configure a server-side Kerberos Constrained Delegation (KCD) Single Sign On (SSO) domain (Virtual Services > Manage SSO > Server Side Single Sign On Configurations), you specify details for the domain. As of LoadMaster firmware version 7.2.51, you can specify two Kerberos Key Distribution Centers (KDCs) separated by a space. This provides a backup in case the current KDC becomes unavailable. Prior to version 7.2.51, you could only specify one KDC.
The first KDC you enter becomes active until it fails. KDC availability is checked and if the KDC fails to respond successfully three times, or if it times out five times, the active KDC is switched. There is no automatic fail-back functionality - the second KDC will be active until it becomes unavailable. To switch back to the first KDC if a failover has occurred and the first KDC becomes available again, clear the SSOMGR cache by going to System Configuration > Logging Options > System Log Files > Flush SSO Cache.
When two KDCs are specified, the active Kerberos KDC is shown underneath the Kerberos Key Distribution Center field.
If you enter more than one KDC, the username and password must be the same for both KDCs.
Double and single quotes are not allowed in the Kerberos Key Distribution Center field.
For further details on KCD in general, refer to the Long Term Support (LTS) Kerberos Constrained Delegation Feature Description document.
Application Programming Interface (API) Details
The kerberos_kdc parameter in the RESTful API moddomain command accepts two KDC entries.
An example of a cURL command to enter two KDCs is below:
curl -k "https://<Username>:<Password>@<LoadMasterIPAddress>/access/moddomain?domain=<SSODomainName>&kerberos_kdc=<KDCAddressOne>+<KDCAddressTwo>"
For further details on the RESTful API in general, refer to the Long Term Support (LTS) RESTful API Interface Description.
For PowerShell help, run the Get-Help command for the relevant commands.