-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
Deploying NetScaler VPX Instances on AWS
-
Upgrade and downgrade a NetScaler appliance
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Configuring kerberos authentication on the NetScaler appliance
This topic provides the detailed steps to configure Kerberos authentication on the NetScaler appliance by using the CLI and the GUI.
Configuring Kerberos authentication on the CLI
-
Enable the AAA feature to ensure the authentication of traffic on the appliance.
ns-cli-prompt> enable ns feature AAA
-
Add the keytab file to the NetScaler appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the NetScaler appliance.
First generate the keytab file on the Active Directory server and then transfer it to the NetScaler appliance.
-
Log on to the Active Directory server and add a user for Kerberos authentication. For example, to add a user named “Kerb-SVC-Account”:
net user Kerb-SVC-Account freebsd!@#456 /add
Note
In the User Properties section, ensure that the “Change password at next logon option” is not selected and the “Password does not expire” option is selected.
-
Map the HTTP service to the above user and export the keytab file. For example, run the following command on the Active Directory server:
ktpass /out keytabfile /princ HTTP/owa.newacp.com@NEWACP.COM /pass freebsd!@#456 /mapuser newacp\dummy /ptype KRB5_NT_PRINCIPAL
Note
You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file.
-
Transfer the keytab file to the NetScaler appliance by using the unix ftp command or any other file transfer utility of your choice.
-
Log on to the NetScaler appliance, and run the ktutil utility to verify the keytab file. The keytab file has an entry for the HTTP service after it is imported.
The kutil interactions are as follows:
root@ns# ktutil ktutil: rkt /var/keytabfile ktutil: list
slot KVNO Principal -——————————————————————-
ktutil: wkt /etc/ krb5.keytab ktutil: list
slot KVNO Principal -— —- —————————————————————- 1 2 HTTP/owa.newacp.com@NEWACP.COM
ktutil: quit
-
-
The NetScaler appliance must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). Therefore, Citrix recommends configuring the NetScaler appliance with a DNS server.
ns-cli-prompt> add dns nameserver <ip-address>
Note
Alternatively, you can add static host entries or use any other means so that the NetScaler appliance can resolve the FQDN name of the domain controller to an IP address.
-
Configure the authentication action and then associate it to an authentication policy.
-
Configure the negotiate action.
ns-cli-prompt> add authentication negotiateAction <name> -domain <domainName> -domainUser <domainUsername> -domainUserPasswd <domainUserPassword>
-
Configure the negotiate policy and associate the negotiate action to this policy.
ns-cli-prompt> add authentication negotiatePolicy <name> <rule> <reqAction>
-
-
Create an authentication virtual server and associate the negotiate policy with it.
-
Create an authentication virtual server.
ns-cli-prompt> add authentication vserver <name> SSL <ipAuthVserver> 443 -authenticationDomain <domainName>
-
Bind the negotiate policy to the authentication virtual server.
ns-cli-prompt> bind authentication vserver <name> -policy <negotiatePolicyName>
-
-
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
ns-cli-prompt> set lb vserver <name> -authn401 ON -authnVsName <string>
Note
Similar configurations can also be done on the content switching virtual server.
-
Verify the configurations by doing the following:
-
Access the traffic management virtual server, using the FQDN. For example, Sample
-
View the details of the session on the CLI.
ns-cli-prompt> show aaa session
-
Configuring Kerberos authentication on the GUI
-
Enable the AAA feature.
Navigate to System > Settings, click Configure Basic Features and enable the AAA feature.
-
Add the keytab file as detailed in step 2 of the CLI procedure mentioned above.
-
Add a DNS server.
Navigate to Traffic Management > DNS > Name Servers, and specify the IP address for the DNS server.
-
Configure the Negotiate action and policy.
Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with Negotiate as the action type.
-
Bind the negotiate policy to the authentication virtual server.
Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the Negotiate policy with the authentication virtual server.
-
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
Navigate to Traffic Management > Load Balancing > Virtual Servers, and specify the relevant authentication settings.
Note
Similar configurations can also be done on the content switching virtual server.
-
Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.