To use the NetScaler Kerberos SSO feature does, users first authenticate with Kerberos or a supported third-party authentication server. Once authenticated, the user requests access to a protected web application. The web server responds with a request for proof that the user is authorized to access that web application. The user's browser contacts the Kerberos server, which verifies that the user is authorized to access that resource, and then provides the user's browser with a service ticket that provides proof. The browser resends the user's request to the web application server with the service ticket attached. The web application server verifies the service ticket, and then allows the user to access the application.
AAA-TM implements this process as shown in the following diagram. The diagram illustrates the flow of information through the NetScaler appliance and AAA-TM, on a secure network with LDAP authentication and Kerberos authorization. AAA-TM environments that use other types of authentication have essentially the same information flow, although they might differ in some details.
NetScaler AAA-TM authentication and authorization in a Kerberos environment requires that the following actions take place.
These steps are transparent to the client, which just sends a request and receives the requested resource.
All AAA-TM authentication mechanisms support NetScaler Kerberos SSO. AAA-TM supports the Kerberos SSO mechanism with the Kerberos, CAC (Smart Card) and SAML authentication mechanisms with any form of client authentication to the NetScaler appliance. It also supports the HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms if the client uses either HTTP-Basic or Forms-Based authentication to log on to the NetScaler appliance.
The following table shows each supported client-side authentication method, and the supported server-side authentication method for that client-side method.
|Basic/Digest/NTLM||Kerberos Constrained Delegation||User Impersonation|
|CAC (Smart Card): at SSL/TLS Layer||X||X|
|HTTP Basic (LDAP/RADIUS/TACACS)||X||X||X|