Product Documentation

An Overview of NetScaler Kerberos SSO

Oct 14, 2013

To use the NetScaler Kerberos SSO feature does, users first authenticate with Kerberos or a supported third-party authentication server. Once authenticated, the user requests access to a protected web application. The web server responds with a request for proof that the user is authorized to access that web application. The user’s browser contacts the Kerberos server, which verifies that the user is authorized to access that resource, and then provides the user’s browser with a service ticket that provides proof. The browser resends the user’s request to the web application server with the service ticket attached. The web application server verifies the service ticket, and then allows the user to access the application.

AAA-TM implements this process as shown in the following diagram. The diagram illustrates the flow of information through the NetScaler appliance and AAA-TM, on a secure network with LDAP authentication and Kerberos authorization. AAA-TM environments that use other types of authentication have essentially the same information flow, although they might differ in some details.

Figure 1. A Secure Network with LDAP and Kerberos

A Secure Network with LDAP and Kerberos

NetScaler AAA-TM authentication and authorization in a Kerberos environment requires that the following actions take place.

  1. The client sends a request for a resource to the traffic management virtual server on the NetScaler appliance.
  2. The traffic management virtual server passes the request to the authentication virtual server, which authenticates the client and then passes the request back to the traffic management virtual server.
  3. The traffic management virtual server sends the client’s request to the web application server.
  4. The web application server responds to the traffic management virtual server with a 401 Unauthorized message that requests Kerberos authentication, with fallback to NTLM authentication if the client does not support Kerberos.
  5. The traffic management virtual server contacts the Kerberos SSO daemon.
  6. The Kerberos SSO daemon contacts the Kerberos server and obtains a ticket-granting ticket (TGT) allowing it to request service tickets authorizing access to protected applications.
  7. The Kerberos SSO daemon obtains a service ticket for the user and sends that ticket to the traffic management virtual server.
  8. The traffic management virtual server attaches the ticket to the user’s initial request and sends the modified request back to the web application server.
  9. The web application server responds with a 200 OK message.

These steps are transparent to the client, which just sends a request and receives the requested resource.

Integration of NetScaler Kerberos SSO with Authentication Methods

All AAA-TM authentication mechanisms support NetScaler Kerberos SSO. AAA-TM supports the Kerberos SSO mechanism with the Kerberos, CAC (Smart Card) and SAML authentication mechanisms with any form of client authentication to the NetScaler appliance. It also supports the HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms if the client uses either HTTP-Basic or Forms-Based authentication to log on to the NetScaler appliance.

The following table shows each supported client-side authentication method, and the supported server-side authentication method for that client-side method.

       
  Basic/Digest/NTLM Kerberos Constrained Delegation User Impersonation
CAC (Smart Card): at SSL/TLS Layer   X X
Forms-Based (LDAP/RADIUS/TACACS) X X X
HTTP Basic (LDAP/RADIUS/TACACS) X X X
Kerberos   X  
NTLM v1/v2   X X
SAML   X  
SAML Two-Factor X X X
Certificate Two-Factor X X X

Table 1. Supported Authentication Methods