Kerberos Authentification with KCD

I will tried to give some key points that you must to accomplish to configure your Netscaler to provide KCS authentication. “Kerberos Constraint Delegation” authenticate your user using a service account to deliver TGT (Ticket-Granting Ticket). This TGT will be use for the SSO and to authenticate the user into the backend server (e.g. :  a web server).


 

Prepare Netscaler and Service Account

To start this configuration you need to achieve some prerequisites before :

  • NTP server must be set to synchronise time from the PDC
  • DNS resolution must be implement
  • LDAP authentication must be also setup on a AAA vserver
  • Create a KCD Service Account

You can create you Service Account like normal AD user using Active Directory tool, no need extra right. Once your user is setup, you must configure the SPN and generate the keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the most simple way to setup KCD on the Netscaler.

Script like this (.bat) can be generate by the Netscaler in KCD tab :

@echo off
set kcdusername=myusername
set kcdpassword=mypassword
echo %kcdusername%
ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL

You must use “run as” CMD into your Domain Controller with sufficient right to launch it and set the service account.

You can check directly after running the script if the configuration is correct.

image009image008

On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).


 

Setup KCD into the Netscaler

After you configure the KCD account to your LDAP, you must configure the AAA vserver into your Netscaler. For this, you must follow this step :
1 – add KCD account to the Netscaler :

Screen Shot 2015-05-02 at 00.30.54

2 – Create a session policy (or Traffic policy bound globally) :

First, setup the profile :

Screen Shot 2015-05-02 at 00.33.08

Second, setup the policies :

Screen Shot 2015-05-02 at 00.33.24

3 – Configure your AAA vServer, in my example I using the same user for LDAP authentication. So you just need to add your Session profile.

Screen Shot 2015-05-02 at 00.36.57
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression !

Screen Shot 2015-05-02 at 00.39.55

Screen Shot 2015-05-02 at 00.41.03

 

You can use the following expression to match the URL :

HTTP.REQ.HOSTNAME.CONTAINS("myserver.mydomain.com")

 

Third configure your Loadbalancing Server

No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :

When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and you will be unable to connect to your backend server :

Tue Apr 28 08:37:29 2015
nskrb.c[1239]: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist

Tue Apr 28 08:37:30 2015
nskrb.c[1299]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/10.10.10.100@MYDOMAIN.LOCAL, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL

Tue Apr 28 08:37:30 2015
nskrb.c[1301]: ns_kgetcred krb5_get_creds returned –1765328371

 


 

Troubleshooting

Two thing to know for troubleshoot KCD to the Netscaler.

First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :

shell
cat /tmp/aaaa.debug

Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :

shell
cat /tmp/nskrb.debug

Virtualization specialist (VMware, Citrix and NetApp), I also have strong expertise on Microsoft UC eco-system. I also work for several years with Veeam Backup and One. Finally, I have also very good expertise on workspace security, PKI and reverse proxy. Force of proposal within the customer’s infrastructure and datacenter, I realize consulting, pre-sales, architecture, migration plan and upsaling.