Kerberos is a computer network authentication protocol which works on the basis of entitlement tokens called “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner with shared trust with a third party called domain controller.
While performing Kerberos protocol transition for a user request, a network traffic management device acquires a Kerberos service ticket on behalf of the user using Kerberos constrained delegation mechanism for the destination backend server. The network traffic management device needs to know the service principal name (SPN) of server for being able to acquire the service ticket for the selected backend server.
In an environment where the network traffic management device is also doing traffic management functions for e.g. load balancing, the host name received from the user's incoming request does not correspond to the service principal name (SPN) of the destination backend server as the network traffic management device selects backend server based on various traffic management functionality and service principal name is unique for each selected backend server.
In the existing technologies, the administrators manually configure the service principal name for each backend server managed by network traffic management device. However, this approach has drawbacks of maintenance overhead. Additionally, it also does not work for those environments where a backend server is selected dynamically.