I will tried to give some key points that you must to accomplish to configure your Netscaler to provide KCS authentication. “Kerberos Constraint Delegation” authenticate your user using a service account to deliver TGT (Ticket-Granting Ticket). This TGT will be use for the SSO and to authenticate the user into the backend server (e.g. : a web server).
Prepare Netscaler and Service Account
To start this configuration you need to achieve some prerequisites before :
- NTP server must be set to synchronise time from the PDC
- DNS resolution must be implement
- LDAP authentication must be also setup on a AAA vserver
- Create a KCD Service Account
You can create you Service Account like normal AD user using Active Directory tool, no need extra right. Once your user is setup, you must configure the SPN and generate the keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the most simple way to setup KCD on the Netscaler.
Script like this (.bat) can be generate by the Netscaler in KCD tab :
@echo off set kcdusername=myusername set kcdpassword=mypassword echo %kcdusername% ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL
You must use “run as” CMD into your Domain Controller with sufficient right to launch it and set the service account.
You can check directly after running the script if the configuration is correct.
On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).
Setup KCD into the Netscaler
After you configure the KCD account to your LDAP, you must configure the AAA vserver into your Netscaler. For this, you must follow this step :
1 – add KCD account to the Netscaler :
2 – Create a session policy (or Traffic policy bound globally) :
First, setup the profile :
Second, setup the policies :
3 – Configure your AAA vServer, in my example I using the same user for LDAP authentication. So you just need to add your Session profile.
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression !
You can use the following expression to match the URL :
HTTP.REQ.HOSTNAME.CONTAINS("myserver.mydomain.com")
Third configure your Loadbalancing Server
No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :
When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and you will be unable to connect to your backend server :
Tue Apr 28 08:37:29 2015 nskrb.c[1239]: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist Tue Apr 28 08:37:30 2015 nskrb.c[1299]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/10.10.10.100@MYDOMAIN.LOCAL, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL Tue Apr 28 08:37:30 2015 nskrb.c[1301]: ns_kgetcred krb5_get_creds returned –1765328371
Troubleshooting
Two thing to know for troubleshoot KCD to the Netscaler.
First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :
shell cat /tmp/aaaa.debug
Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :
shell cat /tmp/nskrb.debug