Product Documentation

Negotiate Authentication Policies

Aug 31, 2016

As with other types of authentication policies, a Negotiate authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.

In addition to standard authentication functions, the Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the NetScaler command line, or by using the configuration utility.

Note: These instructions assume that you are already familiar with the LDAP protocol and have already configured your chosen LDAP authentication server.

To configure AAA to extract user information from a keytab file by using the command line interface

At the command prompt, type the appropriate command:

  • add authentication negotiateAction <name> [-keytab <string>]
  • set authentication negotiateAction <name> [-keytab <string>]


> set authentication negotiateAction negotiateAction-1 -keytab keytab-1

To configure AAA to extract user information from a keytab file by using the configuration utility

Note: In the configuration utility, the term server is used instead of action, but refers to the same task.
  1. Navigate to Security > AAA - Application Traffic > Policies > Negotiate.
  2. In the details pane, on the Servers tab, do one of the following:
    • If you want to create a new Negotiate action, click Add.
    • If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.
  3. If you are creating a new Negotiate action, in the Name text box, type a name for your new action. The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.
  4. Under Negotiate, if the Use Keytab file check box is not already checked, check it.
  5. In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.
  6. In the Default authentication group text box, type the authentication group that you want to set as default for this user.
  7. Click Create or OK to save your changes.