We are looking to use haproxy with kerberos authentication and after seeing intermittent failures, have enabled option prefer-last-server. We also have very large number of apps behind a NAT connecting to haproxy and my concern is that this setting will make the load balancing uneven and may even result in one backend running out of capacity even though we have many more.
Are my concerns valid and do I have correct understanding of the settings needed for kerberos? I am fairly new to haproxy so looking for guidance.
I can’t speak to Kerberos specifically, but my understanding of haproxy is that connection limits are honored, so you can set your connection limits appropriately to keep one server from getting overloaded…
Likewise, if you have a lot of new connections coming in, their last server should by its nature be different. And you can adjust the memory of “prefer-last-server” to help with things.
But if you are experiencing intermittent failures that aren’t due to haproxy, I’d check your kerberos authentication backend… that is likely running out of sockets, memory or something else and that is really where this should be addressed.
** UPDATE: doing a quick google search shows that kerberos does NOT like connections coming in from multiple SPNs. This is likely why your prefer-last-server fix helped. The real option would be to force all of your servers to appear to use the same SPN to the kerberos backend…then you won’t need to use prefer-last-server and you won’t have to worry about overloading things.