Configuring Integrated Windows Authentication with a load balancer

Integrated Windows Authentication (IWA) with a load balancer is supported.

Important: After upgrade, check and, if necessary, rejoin IWA domains.

Transparent proxy deployments do not require any special configuration.

Explicit proxy deployments that are behind a load balancer require a custom configuration

With Content Gateway, IWA uses the Kerberos protocol, with NTLM fallback.

In a load-balanced environment:

Clients explicitly point to the Content Gateway cluster via the FQDN, which, when a load balancer is used, must resolve to the load balancer’s VIP.
Kerberos then returns a ticket for the load balancer’s VIP, which the client then sends to Content Gateway.
Because the ticket is not issued for the proxy’s IP address, but rather for the load balancer’s VIP, Content Gateway cannot decrypt the ticket and authentication fails.

To restate the problem, it’s not possible to configure clients to request Content Gateway’s Kerberos ticket because the client’s operating system handles the ticket request based on the FQDN of the proxy, which resolves to the VIP of the load balancer.

Normally, Content Gateway would be configured to share the hostname of the load balancer, but this is not possible when the load balancer requires hostname resolution (as with DNS-based load balancing).

Because it’s not possible to stop clients from sending a load-balancer’s Kerberos ticket to Content Gateway, the proxies must be configured to accept the load-balancer’s ticket, making the Content Gateway nodes appear as the load-balancer within the scope of Kerberos.

Please contact this article for detailed, step-by-step configuration instructions.