Set up NetScaler SSO
You can configure NetScaler SSO to work in one of two ways: by impersonation or by delegation. SSO by impersonation is a simpler configuration than SSO by delegation, and is therefore preferable when your configuration allows it. To configure NetScaler SSO by impersonation, you must have the user’s user name and password.
To configure NetScaler SSO by delegation, you must have the delegated user’s credentials in one of the following formats: the user’s user name and password, the keytab configuration that includes the user name and an encrypted password, or the delegated user certificate and the matching CA certificate.
Prerequisites for configuring NetScaler SSO
Before you configure a NetScaler SSO, you need to have your NetScaler appliance fully configured to manage traffic to and authentication for your web application servers. Therefore, you must configure either load balancing or content switching, and then authentication, authorization, and auditing, for these web application servers. You must also verify the routing between the appliance, your LDAP server, and your Kerberos server.
If your network is not already configured in this manner, perform the following configuration tasks:
- Configure a server and service for each web application server.
- Configure a traffic management virtual server to handle traffic to and from your web application server.
Following are brief instructions and examples for performing each of these tasks from the NetScaler command line. For further assistance, see Setting up an Authentication Virtual Server.
Note
From NetScaler 13.1 release onwards, the traversal between Root domain and Tree domain is supported during Kerberos SSO authentication for backend server from the NetScaler appliance.
To create a server and service by using the CLI
For NetScaler SSO to obtain a TGS (service ticket) for a service, either the FQDN assigned to the server entity on the NetScaler appliance must match the FQDN of the web application server, or the server entity name must match the NetBios name of the web application server. You can take either of the following approaches:
- Configure the NetScaler server entity by specifying the FQDN of the web application server.
- Configure the NetScaler server entity by specifying the IP address of the web application server, and assign the server entity the same name as the NetBios name of the web application server.
At the command prompt, type the following commands:
- add server name <serverFQDN>
- add service name serverName serviceType port
<!--NeedCopy-->
For the variables, substitute the following values:
- serverName. A name for the NetScaler appliance to use to refer to this server.
- serverFQDN. The FQDN of the server. If the server has no domain assigned to it, use the server’s IP address and make sure that the server entity name matches the NetBios name of the web application server.
- serviceName. A name for the NetScaler appliance to use to refer to this service.
- type. The protocol used by the service, either HTTP or MSSQLSVC.
- port. The port on which the service listens. HTTP services normally listen on port 80. Secure HTTPS services normally listen on port 443.
Example:
The following examples add server and service entries on the NetScaler appliance for the web application server was1.example.com. The first example uses the FQDN of the web application server; the second uses the IP address.
To add the server and service using the web application server FQDN, was1.example.com, you would type the following commands:
add server was1 was1.example.com
add service was1service was1 HTTP 80
<!--NeedCopy-->
To add the server and service using the web application server IP and NetBios name, where the web application server IP is 10.237.64.87 and its NetBios name is WAS1, you would type the following commands:
add server WAS1 10.237.64.87
add service was1service WAS1 HTTP 80
<!--NeedCopy-->
To create a traffic management virtual server by using the CLI
The traffic management virtual server manages traffic between the client and the web application server. You can use either a load balancing or a content switching virtual server as the traffic management server. The SSO configuration is the same for either type.
To create a load balancing virtual server, at the command prompt, type the following command:
add lb vserver <vserverName> <type> <IP> <port>
<!--NeedCopy-->
For the variables, substitute the following values:
- vserverName—A name for the NetScaler appliance to use to refer to this virtual server.
- type—The protocol used by the service, either HTTP or MSSQLSVC.
- IP—The IP address assigned to the virtual server. This would normally be an IANA-reserved, non-public IP address on your LAN.
- port—The port on which the service listens. HTTP services normally listen on port 80. Secure HTTPS services normally listen on port 443.
Example:
To add a load balancing virtual server called tmvserver1 to a configuration that manages HTTP traffic on port 80, assigning it a LAN IP address of 10.217.28.20 and then binding the load balancing virtual server to the wasservice1 service, you would type the following commands:
add lb vserver tmvserver1 HTTP 10.217.28.20 80
bind lb vserver tmvserv1 wasservice1
<!--NeedCopy-->
To create an authentication virtual server by using the CLI
The authentication virtual server manages authentication traffic between the client and the authentication (LDAP) server. To create an authentication virtual server, at the command prompt type the following commands:
add authentication vserver <authvserverName> SSL <IP> 443
<!--NeedCopy-->
For the variables, substitute the following values:
- authvserverName —A name for the NetScaler appliance to use to refer to this authentication virtual server. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Can be changed after the authentication virtual server is added by using the rename authentication vserver command.
- IP—The IP address assigned to the authentication virtual server. As with the traffic management virtual server, this address would normally be an IANA-reserved, non-public IP on your LAN.
- domain—The domain assigned to the virtual server. This would usually be the domain of your network. It is customary, though not required, to enter the domain in all capitals when configuring the authentication virtual server.
Example:
To add an authentication virtual server called authverver1 to your configuration and assign it the LAN IP 10.217.28.21 and the domain EXAMPLE.COM, you would type the following commands:
add authentication vserver authvserver1 SSL 10.217.28.21 443
<!--NeedCopy-->
To configure a traffic management virtual server to use an authentication profile
The authentication virtual server can be configured to handle authentication for a single domain or for multiple domains. If it is configured to support authentication for multiple domains, you must also specify the domain for NetScaler SSO by creating an authentication profile, and then configuring the traffic management virtual server to use that authentication profile.
Note
The traffic management virtual server can be either a load balancing (lb) or content switching (cs) virtual server. The following instructions assume that you are using a load balancing virtual server. To configure a content switching virtual server, simply substitute set cs vserver for set lb vserver. The procedure is otherwise the same.
To create the authentication profile, and then configure the authentication profile on a traffic management virtual server, type the following commands:
- add authentication authnProfile <authnProfileName> {-authvserverName <string>} {-authenticationHost <string>} {-authenticationDomain <string>}
- set lb vserver \<vserverName\> -authnProfile <authnprofileName>
<!--NeedCopy-->
For the variables, substitute the following values:
- authnprofileName—A name for the authentication profile. Must begin with a letter, number, or the underscore character (_), and must consist of from one to thirty-one alphanumeric or hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters.
- authvserverName—The name of the authentication virtual server that this profile uses for authentication.
- authenticationHost—Host name of the authentication virtual server.
- authenticationDomain—Domain for which NetScaler SSO handles authentication. Required if the authentication virtual server performs authentication for more than one domain, so that the correct domain is included when the NetScaler appliance sets the traffic management virtual server cookie.
Example:
To create an authentication profile named authnProfile1 for authentication of the example.com domain, and to configure the load balancing virtual server vserver1 to use the authentication profile authnProfile1, you would type the following commands:
add authentication authnProfile authnProfile1 -authnvsName authvsesrver1
-authenticationHost authvsesrver1 -authenticationDomain example.com
set lb vserver vserver1 -authnProfile authnProfile1
<!--NeedCopy-->