Active Roles Community

Forum F5 VIP for administration service port 15172

F5 VIP for administration service port 15172

mpemba over 1 year ago

I'm working with our F5 load-balancing team. They created a VIP and are routing TCP 15172 to the admin servers. I'm having trouble connecting

Connect-QADService : Server not exist or could not be contacted

Are there any instructions specific to an F5 for ARS admin connections?

I am working off of this KB:

support.oneidentity.com/.../communication-ports-for-active-roles

Top Replies

glenn colville over 1 year ago +1

Hi - i am guessing you want to add resilience for your Active Roles instance and be able to reference multiple AR servers with one connection string?

Have you considered using multiple DNS cname entries…

Parents

0 Stu.Pollock over 1 year ago

Similar to JohnnyQuest , I've only ever seen a NLB in front of the AR WI, not the service, and from what I remember, Load Balancers aren't support.

Usually if the introduction of a Load Balancer is transparent to the interface (Web, Admin Service etc), is shouldn't be an issue.

For example with the Web Interface, as log as the Load Balancer is configured with persistent/sticky sessions, you should be ok. There might also be a required to configure some SPN's and/or trusted for delegation (Kerberos Constrained Delegation) settings

I suspect your issue is similar(ish), but more specifically relating to authentication, as your going to be attempting to access the service using some token, which there is no account (machine for the VIP) to decrypt the TGT.

You couple of things (I'd suggest in a term environment)

Create a computer account in AD using the VIP,

if that doesn't work, try configuring Kerberos constrained delegation. That however you'd need to do yourself (but this might help Enabling Kerberos Constrained Delegation for a stand-alone Web Interface instance (4336757) (oneidentity.com)_
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Stu.Pollock over 1 year ago

Similar to JohnnyQuest , I've only ever seen a NLB in front of the AR WI, not the service, and from what I remember, Load Balancers aren't support.

Usually if the introduction of a Load Balancer is transparent to the interface (Web, Admin Service etc), is shouldn't be an issue.

For example with the Web Interface, as log as the Load Balancer is configured with persistent/sticky sessions, you should be ok. There might also be a required to configure some SPN's and/or trusted for delegation (Kerberos Constrained Delegation) settings

I suspect your issue is similar(ish), but more specifically relating to authentication, as your going to be attempting to access the service using some token, which there is no account (machine for the VIP) to decrypt the TGT.

You couple of things (I'd suggest in a term environment)

Create a computer account in AD using the VIP,

if that doesn't work, try configuring Kerberos constrained delegation. That however you'd need to do yourself (but this might help Enabling Kerberos Constrained Delegation for a stand-alone Web Interface instance (4336757) (oneidentity.com)_
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data