- How NetScaler Implements Kerberos Authentication
- Configuring Kerberos Authentication on the NetScaler Appliance
- Configuring Kerberos Authentication on a Client
- Offloading Kerberos Authentication from Physical Servers
The NetScaler appliance can offload authentication tasks from servers. Instead of the physical servers authenticating the requests from clients, the Netscaler authenticates all the client requests before it forwards them to any of the physical servers bound to it. The user authentication is based on Active Directory tokens.
There is no authentication between the NetScaler and the physical server, and the authentication offload is transparent to the end users. After the initial logon to a Windows computer, the end user does not have to enter any additional authentication information in a pop-up or on a logon page.
In the current NetScaler release, Kerberos authentication is available only for Authentication, Authorization, and Auditing (AAA) Traffic Management Virtual Servers. Kerberos authentication is not supported for SSL VPN in the NetScaler Gateway Enterprise Edition appliance or for NetScaler appliance management.
Kerberos authentication requires configuration on the NetScaler appliance and on client browsers.
The NetScaler appliance cannot process Kerberos requests without the DNS server. Be sure to use the same DNS server that is used in the Microsoft Windows domain.
The list command displays the user account details that you created in the Active Directory. A sample screen of the output of the list command is shown below.
Ensure that you create a virtual server from the command line interface for NetScaler 9.3 releases if they are older than 188.8.131.52.
The Web browser displays an authentication dialog box because the Kerberos authentication is not set up in the browser.