Netscaler ADC : Kerberos Authentification with KCD

I will tried to give some key point you must to accomplish to configure your Netscaler. KCD for Kerberos Constraint Delegation can authenticate your user using service account to deliver TGT. This TGT will be use for SSO and to authenticate the user to the backend server (e.g. : Exchange or web server).


 

Prepare Netscaler and Service Account

To start this configuration some prerequisite must be implement before you start configuration :

  • NTP server must be set to synchronise time from the PDC
  • DNS resolution must be implement
  • LDAP authentication must be also setup on a AAA vserver
  • KCD Service Account

This Service Account must be correctly configure.

Create your service account like normal user using Active Directory tool. Once your user is setup you must configure the SPN and generate keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the simple way to setup KCD on the Netscaler.

Script like this (.bat) can be generate by the Netscaler in KCD tab :

@echo off
set kcdusername=myusername
set kcdpassword=mypassword
echo %kcdusername%
ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL

Once you have this script you must use to a CMD into your Domain Controller with sufficient right to launch it and set the service account.

You can check directly after if the configuration is correct.

image009image008

 

On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).


 

Setup KCD into the Netscaler

After you configure the KCD account to your LDAP, you must configure AAA vserver. For this you must follow this step :
1 – add KCD account to the Netscaler

Screen Shot 2015-05-02 at 00.30.54

2 – Create a session policy (or Traffic policy bound globally)

First, setup the profile

Screen Shot 2015-05-02 at 00.33.08

Second, setup the policies :

Screen Shot 2015-05-02 at 00.33.24

3 – Configure your AAA vServer, in my example I using the same  I used for LDAP authentication. So you juste need to add your Session profile.

Screen Shot 2015-05-02 at 00.36.57
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression  !

Screen Shot 2015-05-02 at 00.39.55

Screen Shot 2015-05-02 at 00.41.03

 

You can use the following expression to match the URL :

HTTP.REQ.HOSTNAME.CONTAINS("myserver.mydomain.com")

 

Third configure your Loadbalancing Server

No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :

When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and unable to connect to your backend server after LDAP authentication :

Tue Apr 28 08:37:29 2015
nskrb.c[1239]: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist

Tue Apr 28 08:37:30 2015
nskrb.c[1299]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/10.10.10.100@MYDOMAIN.LOCAL, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL

Tue Apr 28 08:37:30 2015
nskrb.c[1301]: ns_kgetcred krb5_get_creds returned –1765328371

 


 

Troubleshooting

Two thing to know for troubleshoot KCD to the Netscaler.

First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :

shell
cat /tmp/aaaa.debug

Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :

shell
cat /tmp/nskrb.debug