ADC

Configuring kerberos authentication on the Citrix ADC appliance

This topic provides the detailed steps to configure Kerberos authentication on the Citrix ADC appliance by using the CLI and the GUI.

Configuring Kerberos authentication on the CLI

  1. Enable the authentication, authorization, and auditing feature to ensure the authentication of traffic on the appliance.

    ns-cli-prompt> enable ns feature AAA

  2. Add the keytab file to the Citrix ADC appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the Citrix ADC appliance.

    First generate the keytab file on the Active Directory server and then transfer it to the Citrix ADC appliance.

    • Log on to the Active Directory server and add a user for Kerberos authentication. For example, to add a user named “Kerb-SVC-Account”:

      net user Kerb-SVC-Account freebsd!@#456 /add

      Note

      In the User Properties section, ensure that the “Change password at next logon option” is not selected and the “Password does not expire” option is selected.

    • Map the HTTP service to the above user and export the keytab file. For example, run the following command on the Active Directory server:

      ktpass /out keytabfile /princ HTTP/owa.newacp.com@NEWACP.COM /pass freebsd!@#456 /mapuser newacp\dummy /ptype KRB5_NT_PRINCIPAL

      Note

      You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file.

    • Transfer the keytab file to the Citrix ADC appliance by using the unix ftp command or any other file transfer utility of your choice. Upload the keytab file to the /nsconfig/krb/ directory on the Citrix ADC appliance.

  3. The Citrix ADC appliance must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). Therefore, Citrix recommends configuring the Citrix ADC with a DNS server.

    ns-cli-prompt> add dns nameserver <ip-address>

    Note

    Alternatively, you can add static host entries or use any other means so that the Citrix ADC appliance can resolve the FQDN name of the domain controller to an IP address.

  4. Configure the authentication action and then associate it to an authentication policy.

    • Configure the negotiate action. This configuration creates an action (profile) for an Active Directory server that is used as a Kerberos Key Distribution Center (KDC).The profile contains all the configuration data necessary to communicate with that AD KDC server.

      ns-cli-prompt> add authentication negotiateAction <name> -domain <domain name> -domainUser <domain user name> -domainUserPasswd <domain user password> -defaultAuthenticationGroup <default authentication group> -keytab <string> -NTLMPath <string>

      Note: For domain user and domain name configuration, go to client and use the klist command as shown in the following example:

      Client: username @ AAA.LOCAL

      Server: HTTP/onprem_idp.aaa.local @ AAA.LOCAL

      add authentication negotiateAction <name> -domain -domainUser <HTTP/onprem_idp.aaa.local>

    • Configure the negotiate policy and associate the negotiate action to this policy.

      ns-cli-prompt> add authentication negotiatePolicy <name> <rule> <reqAction>

  5. Create an authentication virtual server and associate the negotiate policy with it.

    • Create an authentication virtual server.

      ns-cli-prompt> add authentication vserver <name> SSL <ipAuthVserver> 443 -authenticationDomain <domainName>

    • Bind the negotiate policy to the authentication virtual server.

      ns-cli-prompt> bind authentication vserver <name> -policy <negotiatePolicyName>

  6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.

    ns-cli-prompt> set lb vserver <name> -authn401 ON -authnVsName <string>

    Note

    Similar configurations can also be done on the content switching virtual server.

  7. Verify the configurations by doing the following:

    • Access the traffic management virtual server, using the FQDN. For example, Sample

    • View the details of the session on the CLI.

      ns-cli-prompt> show aaa session

Configuring Kerberos authentication on the GUI

  1. Enable the authentication, authorization, and auditing feature.

    Navigate to System > Settings, click Configure Basic Features and enable the authentication, authorization, and auditing feature.

  2. Add the keytab file as detailed in step 2 of the CLI procedure mentioned above.

  3. Add a DNS server.

    Navigate to Traffic Management > DNS > Name Servers, and specify the IP address for the DNS server.

  4. Configure the Negotiate action and policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with Negotiate as the action type. Click ADD to create a new authentication negotiate server or click Edit to configure the existing details.

  5. Bind the negotiate policy to the authentication virtual server.

    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the Negotiate policy with the authentication virtual server.

  6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.

    Navigate to Traffic Management > Load Balancing > Virtual Servers, and specify the relevant authentication settings.

    Note

    Similar configurations can also be done on the content switching virtual server.

  7. Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.

Configuring kerberos authentication on the Citrix ADC appliance