Here are a few ideas to try.
1. Use the canonical cname record for the load balancer in gateway.trusted. This should in effect let TS know to trust your load balancer as the pass through.
2. Add a header of X-Forwarded-For. And then specify the IP address of your app server that is requesting the ticket. Without it, TS may see the load balancer IP address in the trusted ticket request and this generally is not what you want.
Let me know if this helps.
Thanks for your ideas...
1. I tried both the domain name and the canonical name from the CNAME record. Neither seemed to work.
2. AWS documentation says that it's Application Load Balancer passes X-Forward-For to the server. I don't know where I would add this (as a client requesting a trusted ticket).
I see. I'm working with on-premise load balancers where I have to add X-Forwarded-For in the load balancer config. I'm guessing AWS being in the cloud that it just does this by default.
We've switched our AWS load balancer from an Application Load Balancer to a Network Load Balancer, Now everything, including trusted tickets, is working as it was before we inserted the load balancer. For reasons I don't understand, we didn't need to mess with either gateway.trusted or gateway.trusted_hosts when using the Network Load Balancer.