With the release of NetScaler 11 build 64.34, the requirements and the configuration of the NTLM authentication have changed.
Do not In this blog post, I'm going through an example configuration where we will authenticate using Kerberos, if the internal network, but fallback to NTLM when external and users from Active Directory accessible.
We are interesting to do things a bit by single sign-on to the back-end resource with Kerberos Constrained Delegation.
I have this particular configuration found something a lot of people struggle with, so hopefully this breakdown will be useful.
first things first, the requirements can cover this working example, you must ....
- A load balancer virtual server
- A back-end resource with "Windows authentication" and the right provider set (Negotiate and NTLM)
- AAA vServer for authentication
- an authentication negotiate policy
- an authentication negotiate Server
- A NTLM path URL
- A session policy for single sign-on
- A kerberos account
- Some of the SPN
better achieve the full flow of communication to understand that I is of a packet capture the respective packets on.
First, the client for the target resource to a GET request, the responding of LB with a "401 Unauthorized".
as part of the "401" response that LB client it says "Negotiate" and "NTLM" accepts for authentication.
Because the client is my network externally, it can obviously not reach my Active Directory / Kerberos Distribution Center to request a ticket, so that it responds to say he wants to authenticate with NTLM ,
(This is the same answer is on the header level)
Now for the clever part. The NetScaler is now a GET request to the backend server send the "NTLM Path" defined and give it wants to use NTLM authentication.
The back-end server with NTLM responses to challenge that forward to the client. The NetScaler The client responds with his credentials, then back to the server, and if successful, a "0 OK" is sent returned, the NetScaler treats this as a successful login.
has now authenticated Our client is successful, but in this example (to make things a little more interesting), is the target resource now requested with Kerberos Constrained Delegation (KCD) be
here are the configuration steps .:
#create backend server FQDN and then create service
Server GARY DC gary-dc.garyslab.net ( gary-dc is my target web server)
Add service Add gary-dc gARY DC HTTP 80
#add Negotiate authentication policies and measures
Add authentication negotiateAction administrator -domain garyslab.net -domainUser administrator -domainUserPasswd 8ad14a780a85 .... cut * * -verschlüsselte -encryptmethod ENCMTHD_3 -NTLMPath "http://192.168.0.1/index.html"
authentication negotiatePolicy Kerberos auth-policy ns_true administrator
you #create kerberos account and session policy for SSO Add
Add aaa kcdAccount KCD -realmStr GARYSLAB.NET -delegatedUser kerberos -kcdPassword 4924 ... * cut * -verschlüsselte -encryptmethod ENCMTHD_3 - user realm GARYSLAB.NET ** Please note that in case of multiple domains, we need to set for each customer Reich a kcdAccount customer domain expire. Alternatively ssoDomain use setting the session policy. **
Add tm session action mysso --SSO ON -ssoDomain garyslab -kcdAccount KCD
Add tm session policy sso_session_pol ns_true mysso
#create AAA vserver
Add authentication vserver aaa_vserver SSL 1.1.1.1 443 -AuthenticationDomain aaa.garyslab.net
#bind the auth and SSO policies
bind-identification vserver aaa_vserver -policy Kerberos auth-policy -priority 100
bind-identification vserver aaa_vserver -policy sso_session_pol -priority 100
#create the lB vServer and tie the AAA vserver
Add lb vserver LB_HTTP HTTP 2.2.2.2 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180 -authn401 oN -authnVsName aaa_vserver
to remember some important points
- Make sure your services FQDN and not IP
- Imagine the appropriate SPNs, I put in this laboratory for my LB and for my AAA
- this is done with the AD "setspn -A host lb.garyslab.net garyslab kerberos "and" setspn -A http lb.garyslab.net garyslab kerberos "to do this for both the FQDN and the LB AAA fqdn, failure to do so unknown error in principle lead to a track. (Garyslab kerberos my delegated user is)
Troubleshooting
this in the device, I ran into two issues that I , appeal as here and hopefully a few days of frustration
Pay close attention to the NTLM path ** must complete FQDN and PATH, ie http: // FQDN / PATH .html * * , I was initially with only the http: // FQDN but this was in a " http / 1.1 Internal server error 43550 " an error has occured resulting
[1945003Zweitens], you should have a SPN for the AAA itself, not only the LB FQDN add. I could see a "principal unknown" error in a track following a failed login attempt.KCD configuration
Add to requirements of the device for the KCD part of this demonstration, I took the following steps.
Set up your target resource with the correct authentication as follows. 
In AD create an account is performed for the actual transfer, in my case I have called this account "kerberos", set the delegation Delegation tab "for delegation to trust that user only to the listed services "and" Use any authentication protocol ". Then add the service you are load balancing, in my case it is my IIS server so that the server I GARY-DC.GARYSLAB.NET with the type as HTTP
Now add on the NetScaler to this newly created account to your "KCD accounts", you can keytab but I find it easier just to define the user. This is the account you will specify in your SSO policy.
Now you should be all set. ...
0 Komentar