CBA authenication

0

I recently setup a second CAS server in my lab. However this CAS is configure complete different from my other CAS and as such I created a new url for it. I went into the load balancer and I created the content rule and then added it to a new SubVS and then added the FQDN of the CAS as the real server. However since doing that I am unable to browse to the OWA site of either server. If I remove the SubVs of the new CAS I can browse to the original OWA which uses Form based auth but when I add the SubVs back for the new CAS which uses Certificate Based Auth both stop working. I am sure it is an issue with the load balance because if I repoint the DNS directly to server or I browse to the OWA via the FQDN of the server then it works. I would really like to get this fix this weekend because I have a demo on monday and the customer uses Kemp load balancers and I would love for them to see this working through a Kemp.

4 comments

Avatar
0
Tony Vaughan

Hello Joshua,

Can you test using a separate virtual service for the new CAS server?

you mentioned content rules, so you should be using SSL offloading/re-encrypt 
if the separate VS works then it sounds like an issue with the certificate,

I would recommend opening a support case to look over the configuration

Avatar
0
joshua.gibson

Tony,

I created a new VS and assigned the CAS servers that are doing CBA to it. However if I turn on the SSL options (offloading/re-encrypt) then I cannot connect the the owa page. If I turn it off I can connect. However I was hoping to make both owa portals available externally and cannot do that without content switching. 

Avatar
0
Tony Vaughan

looking over this again I believe you have two options,

1. set the virtual service as a pass through (no SSL offloading or re-encrypting)
in this case you will not be able to use content rules,
you would need a second virtual service for the second CAS server if the authentication methods are different

2. use  SSL offloading or re-encrypting with the content rules to route to the correct CAS
however you would need to disable CBA on the real servers and use enable CBA for the connecting clients for all transactions and use ESP with KCD on the virtual service

some details on KCD can be found here
https://support.kemptechnologies.com/hc/en-us/articles/203860275-Kerberos-Constrained-Delegation

if you have further questions on this, please open a support ticket

Avatar
0
joshua.gibson

Tony,

 

I think I am good now. Quick question if I go with option two, would CBA be enabled at the VS level or the SubVS level?

 

Thanks

Joshua