-
Getting Started with Citrix ADC
-
Deploy a Citrix ADC VPX instance
-
Apply Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance in cloud
-
Install a Citrix ADC VPX instance on Microsoft Hyper-V servers
-
Install a Citrix ADC VPX instance on Linux-KVM platform
-
Prerequisites for Installing Citrix ADC VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the Citrix ADC Virtual Appliance by using OpenStack
-
Provisioning the Citrix ADC Virtual Appliance by using the Virtual Machine Manager
-
Configuring Citrix ADC Virtual Appliances to Use SR-IOV Network Interface
-
Configuring Citrix ADC Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the Citrix ADC Virtual Appliance by using the virsh Program
-
Provisioning the Citrix ADC Virtual Appliance with SR-IOV, on OpenStack
-
Configuring a Citrix ADC VPX Instance on KVM to Use OVS DPDK-Based Host Interfaces
-
-
Deploy a Citrix ADC VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Configure a Citrix ADC VPX instance to use SR-IOV network interface
-
Configure a Citrix ADC VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a Citrix ADC VPX instance on Microsoft Azure
-
Network architecture for Citrix ADC VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a Citrix ADC VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Configure a Citrix ADC VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the Citrix high availability template with Azure ILB
-
Configure address pools (IIP) for a Citrix Gateway appliance
-
Upgrade and downgrade a Citrix ADC appliance
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
On-premises Citrix Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Citrix ADC Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
-
-
Synchronizing Configuration Files in a High Availability Setup
-
Restricting High-Availability Synchronization Traffic to a VLAN
-
Understanding the High Availability Health Check Computation
-
Managing High Availability Heartbeat Messages on a Citrix ADC Appliance
-
Remove and Replace a Citrix ADC in a High Availability Setup
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Configuring SSO
Configuring Citrix ADC SSO to authenticate by impersonation is simpler than configuring than SSO to authenticate by delegation, and is therefore preferable when your configuration allows it. You create a KCD account. You can use the user’s password.
If you do not have the user’s password, you can configure Citrix ADC SSO to authenticate by delegation. Although more complex than configuring SSO to authenticate by impersonation, the delegation method provides flexibility in that a user’s credentials might not be available to the Citrix ADC appliance in all circumstances.
For either impersonation or delegation, you must also enable integrated authentication on the web application server.
Enable integrated authentication on the web application server
To set up Citrix ADC Kerberos SSO on each web application server that Kerberos SSO manages, use the configuration interface on that server to configure the server to require authentication. Select Kerberos (negotiate) authentication by preference, with fallback to NTLM for clients that do not support Kerberos.
Following are instructions for configuring the Microsoft Internet Information Server (IIS) to require authentication. If your web application server uses software other than IIS, consult the documentation for that web server software for instructions.
To configure Microsoft IIS to use integrated authentication
- Log on to the IIS server and open Internet Information Services Manager.
- Select the website for which you want to enable integrated authentication. To enable integrated authentication for all IIS web servers managed by IISM, configure authentication settings for the Default website. To enable integrated authentication for individual services (such as Exchange, Exadmin, ExchWeb, and Public), configure these authentication settings for each service individually.
- Open the Properties dialog box for the default website or for the individual service, and click the Directory Security tab.
- Beside Authentication and Access Control, select Edit.
- Disable anonymous access.
- Enable Integrated Windows authentication (only). Enabling integrated Windows authentication must automatically set protocol negotiation for the web server to Negotiate, NTLM, which specifies Kerberos authentication with fallback to NTLM for non-Kerberos capable devices. If this option is not automatically selected, manually set protocol negotiation to Negotiate, NTLM.
Set up SSO by impersonation
You can configure the KCD account for Citrix ADC SSO by impersonation. In this configuration, the Citrix ADC appliance obtains the user’s user name and password when the user authenticates to the authentication server and uses those credentials to impersonate the user to obtain a ticket-granting ticket (TGT). If the user’s name is in UPN format, the appliance obtains the user’s realm from UPN. Otherwise, it obtains the user’s name and realm by extracting it from the SSO domain used during initial authentication, or from the session profile.
Note
You cannot add a user name with domain if the user name is already added without domain. If the user name with domain is added first followed by the same user name without domain, then the Citrix ADC appliance adds the user name to the user list.
When configuring the KCD account, you must set the realm parameter to the realm of the service that the user is accessing. The same realm is also used as the user’s realm if the user’s realm cannot be obtained from authentication with the Citrix ADC appliance or from the session profile.
To create the KCD account for SSO by impersonation with a password
At the command prompt, type the following command:
add aaa kcdaccount <accountname> -realmStr <realm>
For the variables, substitute the following values:
- accountname. The KCD account name.
- realm. The domain assigned to the Citrix ADC SSO.
Example
To add a KCD account named kcdccount1, and use the keytab named kcdvserver.keytab, you would type the following command:
add aaa kcdAccount kcdaccount1 -keytab kcdvserver.keytab
For information on configuring Kerberos impersonation through the Citrix ADC GUI, see Citrix Support.
Configure SSO by delegation
To configure SSO by Delegation, you need to perform the following tasks:
- If you are configuring delegation by delegated user certificate, install the matching CA certificates on the Citrix ADC appliance and add them to the Citrix ADC configuration.
- Create the KCD account on the appliance. The appliance uses this account to obtain service tickets for your protected applications.
- Configure the Active Directory server.
Note
For more information on creating a KCD account and configuring on the NetScaler appliance, refer to the following topics:
Installing the client CA certificate on the Citrix ADC appliance
If you are configuring Citrix ADC SSO with a client certificate, you must copy the matching CA certificate for the client certificate domain (the client CA certificate) to the Citrix ADC appliance, and then install the CA certificate. To copy the client CA certificate, use the file transfer program of your choice to transfer the certificate and private-key file to the Citrix ADC appliance, and store the files in /nsconfig/ssl.
To install the client CA certificate on the Citrix ADC appliance
At the command prompt, type the following command:
add ssl certKey <certkeyName> -cert <cert> [(-key <key> [-password]) | -fipsKey <fipsKey>][-inform ( DER | PEM )][-expiryMonitor ( ENABLED | DISABLED | UNSET ) [-notificationPeriod <positive_integer>]] [-bundle ( YES | NO )]
For the variables, substitute the following values:
- certkeyName. A name for the client CA certificate. Must begin with an ASCII alphanumeric or underscore (_) character, and must consist of from one to thirty-one characters. Allowed characters include the ASCII alphanumerics, underscore, hash (#), period(.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created. If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cert” or ‘my cert’).
- cert. Full path name and file name of the X509 certificate file used to form the certificate-key pair. The certificate file must be stored on the Citrix ADC appliance, in the /nsconfig/ssl/ directory.
- key. Full path name and file name of the file that contains the private key to the X509 certificate file. The key file must be stored on the Citrix ADC appliance in the /nsconfig/ssl/ directory.
- password. If a private key is specified, the passphrase used to encrypt the private key. Use this option to load encrypted private keys in PEM format.
-
fipsKey. Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.
Note
You can specify either a key or a fipsKey, but not both.
- inform. Format of the certificate and private-key files, either PEM or DER.
- passplain. Pass phrase used to encrypt the private key. Required when adding an encrypted private-key in PEM format.
- expiryMonitor. Configure the Citrix ADC appliance to issue an alert when the certificate is about to expire. Possible values: ENABLED, DISABLED, UNSET.
- notificationPeriod. If expiryMonitor is ENABLED, number of days before the certificate expires to issue an alert.
- bundle. Parse the certificate chain as a single file after linking the server certificate to its issuer’s certificate within the file. Possible values: YES, NO.
Example
The following example adds the specified delegated user certificate customer-cert.pem to the Citrix ADC configuration along with the key customer-key.pem, and sets the password, certificate format, expiration monitor, and notification period.
To add the delegated user certificate, you would type the following commands:
add ssl certKey customer -cert "/nsconfig/ssl/customer-cert.pem"
-key "/nsconfig/ssl/customer-key.pem" -password "dontUseDefaultPWs!"
-inform PEM -expiryMonitor ENABLED [-notificationPeriod 14]
Creating the KCD account
If you are configuring Citrix ADC SSO by delegation, you can configure the KCD account to use the user’s log-on name and password, to use the user’s log-on name and keytab, or to use the user’s client certificate. If you configure SSO with user name and password, the Citrix ADC appliance uses the delegated user account to obtain a Ticket Granting Ticket (TGT), and then uses the TGT to obtain service tickets for the specific services that each user requests. If you configure SSO with keytab file, the Citrix ADC appliance uses the delegated user account and keytab information. If you configure SSO with a delegated user certificate, the Citrix ADC appliance uses the delegated user certificate.
To create the KCD account for SSO by delegation with a password
At the command prompt, type the following commands:
add aaa kcdAccount <kcdAccount> {-keytab <string>} {-realmStr <string>} {-delegatedUser <string>} {-kcdPassword } {-usercert <string>} {-cacert <string>} [-userRealm <string>]
[-enterpriseRealm <string>] [-serviceSPN <string>]
For the variables, substitute the following values:
- kcdAccount - A name for the KCD account.This is a mandatory argument. Maximum Length: 31
- keytab - The path to the keytab file. If specified other parameters in this command need not be given. Maximum Length: 127
- realmStr - The realm of Kerberos. Maximum Length: 255
- delegatedUser - Username that can perform kerberos constrained delegation. Maximum Length: 255
- kcdPassword - Password for Delegated User. Maximum Length: 31
-
usercert - SSL Cert (including private key) for Delegated User. Maximum Length: 255
-
cacert - CA Cert for UserCert or when doing PKINIT backchannel. Maximum Length: 255
-
userRealm - Realm of the user. Maximum Length: 255
-
enterpriseRealm - Enterprise Realm of the user. This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name. Maximum Length: 255
- serviceSPN - Service SPN. When specified, this will be used to fetch kerberos tickets. If not specified, Citrix ADC will construct SPN using service fqdn. Maximum Length: 255
Example (UPN Format)
To add a KCD account named kcdaccount1 to the Citrix ADC appliance configuration with a password of password1 and a realm of EXAMPLE.COM, specifying the delegated user account in UPN format (as root), you would type the following commands:
add aaa kcdaccount kcdaccount1 –delegatedUser root
-kcdPassword password1 -realmStr EXAMPLE.COM
Example (SPN Format)
To add a KCD account named kcdaccount1 to the Citrix ADC appliance configuration with a password of password1 and a realm of EXAMPLE.COM, specifying the delegated user account in SPN format, you would type the following commands:
add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM
-delegatedUser "host/kcdvserver.example.com" -kcdPassword password1
Creating the KCD account for SSO by delegation with a keytab
If you plan to use a keytab file for authentication, first create the keytab. You can create the keytab file manually by logging on to the AD server and using the ktpass utility, or you can use the Citrix ADC configuration utility to create a batch script, and then run that script on the AD server to generate the keytab file. Next, use FTP or another file transfer program to transfer the keytab file to the Citrix ADC appliance and place it in the /nsconfig/krb directory. Finally, configure the KCD account for Citrix ADC SSO by delegation and provide the path and file name of the keytab file to the Citrix ADC appliance.
To create the keytab file manually
Log on to the AD server command line and, at the command prompt, type the following command:
ktpass princ <SPN> ptype KRB5_NT_PRINCIPAL mapuser <DOMAIN><username> pass <password> -out <File_Path>
For the variables, substitute the following values:
- SPN. The service principal name for the KCD service account.
- DOMAIN. The domain of the Active Directory server.
- username. The KSA account user name.
- password. The KSA account password.
- path. The full path name of the directory in which to store the keytab file after it is generated.
To use the Citrix ADC configuration utility to create a script to generate the keytab file
- Navigate to Security > AAA - Application Traffic.
- In the data pane, under Kerberos Constrained Delegation, click Batch file to generate Keytab.
- In the Generate KCD (Kerberos Constrained Delegation) Keytab Script dialog box, set the following parameters:
- Domain User Name. The KSA account user name.
- Domain Password. The KSA account password.
- Service Principal. The service principal name for the KSA.
- Output File Name. The full path and file name to which to save the keytab file on the AD server.
- Clear the Create Domain User Account check box.
- Click Generate Script.
- Log on to the Active Directory server and open a command line window.
- Copy the script from the Generated Script window and paste it directly into the Active Directory server command-line window. The keytab is generated and stored in the directory under the file name that you specified as Output File Name.
- Use the file transfer utility of your choice to copy the keytab file from the Active Directory server to the Citrix ADC appliance and place it in the /nsconfig/krb directory.
To create the KCD account
At the command prompt, type the following command:
add aaa kcdaccount <accountname> –keytab <keytab>
Example
To add a KCD account named kcdccount1, and use the keytab named kcdvserver.keytab, you would type the following commands:
add aaa kcdaccount kcdaccount1 –keytab kcdvserver.keytab
To create the KCD account for SSO by delegation with a delegated user cert
At the command prompt, type the following command:
add aaa kcdaccount <accountname> -realmStr <realm> -delegatedUser <user_nameSPN> -usercert <cert> -cacert <cacert>
For the variables, substitute the following values:
- accountname. A name for the KCD account.
- realmStr. The realm for the KCD account, usually the domain for which SSO is configured.
- delegatedUser. The delegated user name, in SPN format.
- usercert. The full path and name of the delegated user certificate file on the Citrix ADC appliance. The delegated user certificate must contain both the client certificate and the private key, and must be in PEM format. If you use smart card authentication, you might must create a smart card certificate template to allow certificates to be imported with the private key.
- cacert. The full path to and name of the CA certificate file on the Citrix ADC appliance.
Example
To add a KCD account named kcdccount1, and use the keytab named kcdvserver.keytab, you would type the following command:
add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM
-delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert
-cacert /cacerts/cacert
Setting up Active Directory for Citrix ADC SSO
When you configure SSO by delegation, in addition to creating the KCDAccount on the Citrix ADC appliance, you must also create a matching Kerberos Service Account (KSA) on your LDAP active directory server, and configure the server for SSO. To create the KSA, use the account creation process on the active directory server. To configure SSO on the active directory server, open the properties window for the KSA. In the Delegation tab, enable the following options: Trust this user for delegation to specified services only and Use any Authentication protocol. (The Kerberos only option does not work, because it does not enable protocol transition or constrained delegation.) Finally, add the services that Citrix ADC SSO manages.
Note
If the Delegation tab is not visible in the KSA account properties dialog box, before you can configure the KSA as described, you must use the Microsoft setspn command-line tool to configure the active directory server so that the tab is visible.
To configure delegation for the Kerberos service account
- In the LDAP account configuration dialog box for the Kerberos service account that you created, click the Delegation tab.
- Choose “Trust this user for delegation to the specified services only”.
- Under “Trust this user for delegation to the specified services only,” choose “Use any authentication protocol”.
- Under “Services to which this account can present delegated credentials,” click Add.
- In the Add Services dialog box, click Users or Computers, choose the server that hosts the resources to be assigned to the service account, and then click OK.
Note
- Constrained delegation does not support services hosted in domains other than the domain assigned to the account, even though Kerberos might have a trust relationship with other domains.
- Use the following command to create the setspn if a new user is created in active directory: setspn -A host/kcdvserver.example.com example\kcdtest
- Back in the Add Services dialog box, in the Available Services list, chooses the services assigned to the service account. Citrix ADC SSO supports the HTTP and MSSQLSVC services.
- Click OK.
Points to note when advanced encryptions is used to configure KCD account
- Sample configuration when keytab is used: add kcdaccount lbvs_keytab_aes256 -keytab “/nsconfig/krb/kcd2_aes256.keytab”
- Use the following command when keytab has multiple encryption types. The command additionally captures domain user parameters: add kcdaccount lbvs_keytab_aes256 -keytab “/nsconfig/krb/kcd2_aes256.keytab” –domainUser “HTTP/lbvs.aaa.local”
- Use the following commands when user credential are used: add kcdaccount kslb2_user -realmStr AAA.LOCAL -delegatedUser lbvs -kcdPassword
<password>
- Ensure that the correct domainUser information is provided. You can look for the user logon name in AD.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.