Configuring kerberos authentication on the NetScaler appliance
This topic provides the detailed steps to configure Kerberos authentication on the NetScaler appliance by using the CLI and the GUI.
Configuring Kerberos authentication on the CLI
-
Enable the authentication, authorization, and auditing feature to ensure the authentication of traffic on the appliance.
ns-cli-prompt> enable ns feature AAA
-
Add the keytab file to the NetScaler appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the NetScaler appliance.
First generate the keytab file on the Active Directory server and then transfer it to the NetScaler appliance.
-
Log on to the Active Directory server and add a user for Kerberos authentication using the following command.
net user <username> <password> /add
Note
In the User Properties section, ensure that the “Change password at next logon option” is not selected and the “Password does not expire” option is selected.
-
Map the HTTP service to the above user and export the keytab file. For example, run the following command on the Active Directory server:
ktpass /out keytabfile /princ HTTP/owa.newacp.com@NEWACP.COM /pass <user password> /mapuser newacp\\dummy /ptype KRB5\_NT\_PRINCIPAL
Note
You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file.
-
Transfer the keytab file to the NetScaler appliance by using the unix ftp command or any other file transfer utility of your choice. Upload the keytab file to the /nsconfig/krb/ directory on the NetScaler appliance.
-
-
The NetScaler appliance must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). Therefore, Citrix recommends configuring the NetScaler with a DNS server.
ns-cli-prompt> add dns nameserver <ip-address>
Note
Alternatively, you can add static host entries or use any other means so that the NetScaler appliance can resolve the FQDN name of the domain controller to an IP address.
-
Configure the authentication action and then associate it to an authentication policy.
-
Configure the negotiate action. This configuration creates an action (profile) for an Active Directory server that is used as a Kerberos Key Distribution Center (KDC).The profile contains all the configuration data necessary to communicate with that AD KDC server.
ns-cli-prompt> add authentication negotiateAction <name> -domain <domain name> -domainUser <domain user name> -domainUserPasswd <domain user password> -defaultAuthenticationGroup <default authentication group> -keytab <string> -NTLMPath <string>
Note: For domain user and domain name configuration, go to client and use the klist command as shown in the following example:
Client: username @ AAA.LOCAL
Server: HTTP/onprem_idp.aaa.local @ AAA.LOCAL
add authentication negotiateAction <name> -domain
-domainUser <HTTP/onprem_idp.aaa.local> -
Configure the negotiate policy and associate the negotiate action to this policy.
ns-cli-prompt> add authentication negotiatePolicy <name> <rule> <reqAction>
-
-
Create an authentication virtual server and associate the negotiate policy with it.
-
Create an authentication virtual server.
ns-cli-prompt> add authentication vserver <name> SSL <ipAuthVserver> 443 -authenticationDomain <domainName>
-
Bind the negotiate policy to the authentication virtual server.
ns-cli-prompt> bind authentication vserver <name> -policy <negotiatePolicyName>
-
-
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
ns-cli-prompt> set lb vserver <name> -authn401 ON -authnVsName <string>
Note
Similar configurations can also be done on the content switching virtual server.
-
Verify the configurations by doing the following:
-
Access the traffic management virtual server, using the FQDN. For example, Sample
-
View the details of the session on the CLI.
ns-cli-prompt> show aaa session
-
Configuring Kerberos authentication on the GUI
-
Enable the authentication, authorization, and auditing feature.
Navigate to System > Settings, click Configure Basic Features and enable the authentication, authorization, and auditing feature.
-
Add the keytab file as detailed in step 2 of the CLI procedure mentioned above.
-
Add a DNS server.
Navigate to Traffic Management > DNS > Name Servers, and specify the IP address for the DNS server.
-
Configure the Negotiate action and policy.
Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with Negotiate as the action type. Click ADD to create a new authentication negotiate server or click Edit to configure the existing details.
-
Bind the negotiate policy to the authentication virtual server.
Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the Negotiate policy with the authentication virtual server.
-
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
Navigate to Traffic Management > Load Balancing > Virtual Servers, and specify the relevant authentication settings.
Note
Similar configurations can also be done on the content switching virtual server.
-
Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.