Negotiate authentication policies

December 13, 2018

| Contributed by:

As with other types of authentication policies, a Negotiate authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.

In addition to standard authentication functions, the Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the command line, or by using the configuration utility.

Note: These instructions assume that you are already familiar with the LDAP protocol and have already configured your chosen LDAP authentication server.

To configure AAA to extract user information from a keytab file by using the command line interface

At the command prompt, type the appropriate command:

add authentication negotiateAction <name> [-keytab <string>]
set authentication negotiateAction <name> [-keytab <string>]

Example

> set authentication negotiateAction negotiateAction-1 -keytab keytab-1

To configure AAA to extract user information from a keytab file by using the configuration utility

Note

In the configuration utility, the term server is used instead of action, but refers to the same task.

Navigate to Security > AAA - Application Traffic > Policies > Negotiate.
In the details pane, on the Servers tab, do one of the following:
- If you want to create a new Negotiate action, click Add.
- If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.
If you are creating a new Negotiate action, in the Name text box, type a name for your new action. The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.
Under Negotiate, if the Use Keytab file check box is not already checked, check it.
In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.
In the Default authentication group text box, type the authentication group that you want to set as default for this user.
Click Create or OK to save your changes.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Support: https://www.citrix.com/support

Feedback and forums: https://discussions.citrix.com

Version

Negotiate authentication policies

Negotiate authentication policies

To configure AAA to extract user information from a keytab file by using the command line interface

To configure AAA to extract user information from a keytab file by using the configuration utility

Negotiate authentication policies

In this article