Negotiate authentication

As with other types of authentication policies, a Negotiate authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.

In addition to standard authentication functions, the Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, authentication, authorization, and auditing selects the correct SPN. You can configure this feature at the command line, or by using the configuration utility.


These instructions assume that you are already familiar with the LDAP protocol and have already configured your chosen LDAP authentication server.

To configure authentication, authorization, and auditing to extract user information from a keytab file by using the command line interface

At the command prompt, type the appropriate command:

add authentication negotiateAction <name> {-domain <string>} {-domainUser <string>} {-domainUserPasswd } [-defaultAuthenticationGroup <string>] [-keytab <string>] [-NTLMPath <string>]

set authentication negotiateAction <name> {-domain <string>} {-domainUser <string>} {-domainUserPasswd} [-defaultAuthenticationGroup <string>] [-keytab <string>] [-NTLMPath <string>]

Parameter description

  • name - Name of the negotiate action to be used.
  • domain - Domain name of the service principal that represnts NetScaler.
  • domainUser - User name of the account that is mapped with NetScaler principal. This can be given along with domain and password when keytab file is not available. If username is given along with keytab file, then that keytab file will be searched for this user’s credentials. Maximum Length: 127
  • domainUserPasswd - Password of the account that is mapped to the NetScaler principal.
  • defaultAuthenticationGroup - This is the default group that is chosen when the authentication succeeds in addition to extracted groups. Maximum Length: 63
  • keytab - The path to the keytab file that is used to decrypt kerberos tickets presented to NetScaler. If keytab is not available, domain/username/password can be specified in the negotiate action configuration. Maximum Length: 127
  • NTLMPath - The path to the site that is enabled for NTLM authentication, including FQDN of the server. This is used when clients fallback to NTLM. Maximum Length: 127

To configure authentication, authorization, and auditing to extract user information from a keytab file by using the configuration utility


In the configuration utility, the term server is used instead of action, but refers to the same task.

  1. Navigate to Security > AAA - Application Traffic > Authentication > Advanced Policies > Actions > NEGOTIATE Actions.
  2. In the details pane, on the Servers tab, do one of the following:

    • If you want to create a new Negotiate action, click Add.
    • If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.
  3. If you are creating a new Negotiate action, in the Name text box, type a name for your new action. The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.
  4. Under Negotiate, if the Use Keytab file check box is not already checked, check it.
  5. In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.
  6. In the Default authentication group text box, type the authentication group that you want to set as default for this user.
  7. Click Create or OK to save your changes.

Points to note when advanced encryptions is used for Kerberos authentication

  • Sample configuration when keytab is used: add authentication negotiateAction neg_act_aes256 -keytab “/nsconfig/krb/lbvs_aes256.keytab”
  • Use the following command when keytab has multiple encryption types. The command additionally captures domain user parameters: add authentication negotiateAction neg_act_keytab_all -keytab “/nsconfig/krb/lbvs_all.keytab” -domainUser “HTTP/”
  • Use the following commands when user credential are used: add authentication negotiateAction neg_act_user -domain AAA.LOCAL -domainUser “HTTP/” -domainUserPasswd <password>
  • Ensure that the correct domainUser information is provided. You can look for the user logon name in AD.