- How NetScaler Implements Kerberos for Client Authentication
- Configuring Kerberos Authentication on the NetScaler Appliance
- Configuring Kerberos Authentication on a Client
- Offloading Kerberos Authentication from Physical Servers
NetScaler handles the components involved in Kerberos authentication in the following way:
Key Distribution Center (KDC)
In the Windows 2000 Server or later versions, the Domain Controller and KDC are part of the Windows Server. If the Windows Server is UP and running, it indicates that the Domain Controller and KDC are configured. The KDC is also the Active Directory server.
Authentication Service and Protocol Negotiation
A NetScaler appliance supports Kerberos authentication on the AAA-TM authentication virtual servers. If the Kerberos authentication fails, the NetScaler uses the NTLM authentication.
By default, Windows 2000 Server and later Windows Server versions use Kerberos for AAA. If you create an authentication policy with NEGOTIATE as the authentication type, the NetScaler attempts to use the Kerberos protocol for AAA and if the client's browser fails to receive a Kerberos ticket, the NetScaler uses the NTLM authentication. This process is referred to as negotiation.
For Kerberos/NTLM authentication, the NetScaler does not use the data that is present locally on the NetScaler appliance.
The traffic management virtual server can be a load balancing virtual server or a content switching virtual server.
The NetScaler appliance supports auditing of Kerberos authentication with the following audit logging:
Kerberos authentication does not need any specific environment on the NetScaler. The client (browser) must provide support for Kerberos authentication.
In a high availability setup, only the active NetScaler joins the domain. In case of a failover, the NetScaler lwagent daemon joins the secondary NetScaler appliance to the domain. No specific configuration is required for this functionality.
Kerberos Authentication Process
The following figure shows a typical process for Kerberos authentication in the NetScaler environment.
The Kerberos authentication occurs in the following stages:
Client authenticates itself to the KDC.
Client requests a service.
NetScaler completes the authentication.