Product Documentation
Download:PDFPRINT

Configuring Kerberos Authentication on the NetScaler Appliance

Oct 26, 2015

This topic provides the detailed steps to configure Kerberos authentication on the NetScaler by using the CLI and the GUI.

Configuring Kerberos authentication on the NetScaler CLI

  1. Enable the AAA feature to ensure the authentication of traffic on the appliance.

    ns-cli-prompt> enable ns feature AAA

  2. Add the keytab file to the NetScaler appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the NetScaler.

    First generate the keytab file on the Active Directory server and then transfer it to the NetScaler appliance.

    1. Log on to the Active Directory server and add a user for Kerberos authentication. For example, to add a user named "Kerb-SVC-Account":

      net user Kerb-SVC-Account freebsd!@#456 /add

      Note: In the User Properties section, ensure that the "Change password at next logon option" is not selected and the "Password does not expire" option is selected.

    2. Map the HTTP service to the above user and export the keytab file. For example, run the following command on the Active Directory server:

      ktpass /out keytabfile /princ HTTP/owa.newacp.com@NEWACP.COM /pass freebsd!@#456 /mapuser newacp\dummy /ptype KRB5_NT_PRINCIPAL

      Note: You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file.

    3. Transfer the keytab file to the NetScaler by using the unix ftp command or any other file transfer utility of your choice.

    4. Log on to the NetScaler appliance, and run the ktutil utility to verify the keytab file. The keytab file has an entry for the HTTP service after it is imported.

      The kutil interactions are as follows:

      root@ns# ktutil
      ktutil: rkt /var/keytabfile
      ktutil: list

      slot KVNO Principal
      --------------------------------------------------------------------


      ktutil: wkt /etc/ krb5.keytab
      ktutil: list

      slot KVNO Principal
      ---- ---- ----------------------------------------------------------------
      1 2 HTTP/owa.newacp.com@NEWACP.COM

      ktutil: quit
       
  3. The NetScaler must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). Therefore, Citrix recommends configuring the NetScaler with a DNS server.

    ns-cli-prompt> add dns nameserver <ip-address>

    Note: Alternatively, you can add static host entries or use any other means so that the NetScaler can resolve the FQDN name of the domain controller to an IP address.

  4. Configure the authentication action and then associate it to an authentication policy.

    1. Configure the negotiate action.

      ns-cli-prompt> add authentication negotiateAction <name> -domain <domainName> -domainUser <domainUsername> -domainUserPasswd <domainUserPassword>

    2. Configure the negotiate policy and associate the negotiate action to this policy.

      ns-cli-prompt> add authentication negotiatePolicy <name> <rule> <reqAction>

  5. Create an authentication virtual server and associate the negotiate policy with it.

    1. Create an authentication virtual server.

      ns-cli-prompt> add authentication vserver <name> SSL <ipAuthVserver> 443 -authenticationDomain <domainName>

    2. Bind the negotiate policy to the authentication virtual server.

      ns-cli-prompt> bind authentication vserver <name> -policy <negotiatePolicyName>

  6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.

    ns-cli-prompt> set lb vserver <name> -authn401 ON -authnVsName <string>

    Note: Similar configurations can also be done on the content switching virtual server.

  7. Verify the configurations by doing the following:

    1. Access the traffic management virtual server, using the FQDN. For example, http://owa.newacp.com.

    2. View the details of the session on the NetScaler CLI.

      ns-cli-prompt> show aaa session

Configuring Kerberos authentication on the NetScaler GUI

  1. Enable the AAA feature.

    Navigate to System > Settings, click Configure Basic Features and enable the AAA feature. 

  2. Add the keytab file as detailed in step 2 of the CLI procedure mentioned above.

  3. Add a DNS server.

    Navigate to Traffic Management > DNS > Name Servers, and specify the IP address for the DNS server.

  4. Configure the Negotiate action and policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with Negotiate as the action type.

  5. Bind the negotiate policy to the authentication virtual server.

    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the Negotiate policy with the authentication virtual server.

  6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.

    Navigate to Traffic Management > Load Balancing > Virtual Servers, and specify the relevant authentication settings.

    Note: Similar configurations can also be done on the content switching virtual server.

  7. Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.