|Release||Document Status||DB Platform||Categories|
|18.104.22.168 or later||INFO||SQL Server||Kerberos|
This article describes the functionality of the Kerberos Replay Cache setting.
Replay cache is used to detect duplicate 'Kerberos authentication' requests.
The Kerberos authentication implementation used by ScaleArc maintains a replay cache to detect replay attacks of Kerberos tokens. It maintains a disk file to carry out its functions across service and system failures. When a Kerberos authentication request is processed, an entry is made in the replay cache disk file.
When the connection churn rate is high, the resulting high disk activity becomes a performance bottle neck. ScaleArc installations anticipating high connection churn and configured for Kerberos authentication will experience degradation due to replay cache.
For applications that use a client side connection pooling library the connection churn rate would be low once the connection pool is populated. In this case, the performance wont degrade due to replay cache disk activity.
Also, note that replay cache can be turned OFF when SSL offload is enabled for the cluster. SSL ensures that replays of captured SSL encrypted Keberos tokens won’t be successful. This alone does not prevent an impersonating SSL proxy to launch a MiTM attack thus capturing and replaying Kerberos tokens. To overcome this, the clients should configure trust for the certificate configured on the ScaleArc cluster. This can be enabled by setting "TrustServerCertificate=yes" in the connection strings.
If you are experiencing issues with ScaleArc or with any of it's features, please contact ScaleArc Support. We are available 24x7 by phone at 855 800 7225 or +1 408 412 7315. For general support inquiries, you can also e-mail us at firstname.lastname@example.org.
2901 Tasman Drive Santa Clara, CA 95054 | Email: email@example.com