Offloading Kerberos authentication from physical servers
The NetScaler appliance can offload authentication tasks from servers. Instead of the physical servers authenticating the requests from clients, the NetScaler appliance authenticates all the client requests before it forwards them to any of the physical servers bound to it. The user authentication is based on Active Directory tokens.
There is no authentication between the NetScaler appliance and the physical server, and the authentication offload is transparent to the end users. After the initial logon to a Windows computer, the end user does not have to enter any additional authentication information in a pop-up or on a logon page.
In the current NetScaler appliance release, Kerberos authentication is available only for AAA traffic management virtual servers. Kerberos authentication is not supported for SSL VPN in the Citrix Gateway Enterprise Edition appliance or for NetScaler appliance management.
Kerberos authentication requires configuration on the NetScaler appliance and on client browsers.
To configure Kerberos authentication on the NetScaler appliance
Create a user account on Active Directory. When creating a user account, verify the following options in the User Properties section:
- Make sure that you do not select the Change password at next logon option.
- Be sure to select the Password does not expire option.
On the AD server, at the CLI command prompt, type:
- ktpass -princ HTTPemail@example.com -ptype KRB5_NT_PRINCIPAL -mapuser firstname.lastname@example.org -mapop set -pass Citrix1 -out C:\kerbtabfile.txt
Be sure to type the above command on a single line. The output of the above command is written into the C:\kerbtabfile.txt file.
Upload the kerbtabfile.txt file to the /etc directory of the NetScaler appliance by using a Secure Copy (SCP) client.
Run the following command to add a DNS server to the NetScaler appliance.
- add dns nameserver 126.96.36.199
The NetScaler appliance cannot process Kerberos requests without the DNS server. Be sure to use the same DNS server that is used in the Microsoft Windows domain.
Switch to the shell prompt and run the following commands from the shell prompt:
ktutil # rkt /etc/kerbtabfile.txt
# wkt /etc/krb5.keytab
The list command displays the user account details that you created in the Active Directory. A sample screen of the output of the list command is shown below.
Figure 1. Sample Output of the list Command
Switch to the command line interface of NetScaler appliance.
Run the following command to create a Kerberos authentication server:
- add authentication negotiateAction KerberosServer -domain “crete.lab.net” -domainUser kerbuser -domainUserPasswd Citrix1
Run the following command to create a negotiation policy:
add authentication negotiatePolicy Kerberos-Policy "REQ.IP.DESTIP == 192.168.17.200" KerberosServer
Run the following command to create an authentication virtual server.
add authentication vserver Kerb-Auth SSL 192.168.17.201 443 -AuthenticationDomain crete.example.com
Run the following command to bind the Kerberos policy to the authentication virtual server:
bind authentication vserver Kerb-Auth -policy Kerberos-Policy -priority 100
Run the following command to bind an SSL certificate to the authentication virtual server. You can use one of the test certificates, which you can install from the GUI NetScaler appliance. Run the following command to use the ServerTestCert sample certificate.
bind ssl vserver Kerb-Auth -certkeyName ServerTestCert
Create an HTTP load balancing virtual server with the IP address, 192.168.17.200.
Ensure that you create a virtual server from the command line interface for NetScaler 9.3 releases if they are older than 188.8.131.52.
Run the following command to configure an authentication virtual server:
set lb vserver <name>-authn401 ON -authnVsName Kerb-Auth
Enter the host name Example in the address bar of the Web browser.
The Web browser displays an authentication dialog box because the Kerberos authentication is not set up in the browser.
Kerberos authentication requires a specific configuration on the client. Ensure that the client can resolve the hostname, which results in the Web browser connecting to an HTTP virtual server.
Configure Kerberos on the Web browser of the client computer.
- For configuring on Internet Explorer, see Configuring Internet Explorer for Kerberos authentication.
- For configuring on Mozilla Firefox, see Configuring Internet Explorer for Kerberos authentication.
Verify whether you can access the backend physical server without authentication.
To configure Internet Explorer for Kerberos authentication
- Select Internet Options from the Tools menu.
- Activate the Security tab.
- Select Local Intranet from the Select a zone to view change security settings section.
- Click Sites.
- Click Advanced.
- Specify the URL, Example and click Add.
- Restart Internet Explorer.
To configure Mozilla Firefox for Kerberos authentication
- Enter about:config in the address bar of the browser.
- Click the warning disclaimer.
- Type Network.Negotiate-auth.trusted-uris in the Filter box.
Double click Network.Negotiate-auth.trusted-uris. A sample screen is shown below.
- In the Enter String Value dialog box, specify www.crete.example.com.
- Restart Firefox.