Select Page

Netscaler ADC : Kerberos Authentification with KCD

I will tried to give some key point you must to accomplish to configure your Netscaler. KCD for Kerberos Constraint Delegation can authenticate your user using service account to deliver TGT. This TGT will be use for SSO and to authenticate the user to the backend server (e.g. : Exchange or web server).


Prepare Netscaler and Service Account

To start this configuration some prerequisite must be implement before you start configuration :

  • NTP server must be set to synchronise time from the PDC
  • DNS resolution must be implement
  • LDAP authentication must be also setup on a AAA vserver
  • KCD Service Account

This Service Account must be correctly configure.

Create your service account like normal user using Active Directory tool. Once your user is setup you must configure the SPN and generate keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the simple way to setup KCD on the Netscaler.

Script like this (.bat) can be generate by the Netscaler in KCD tab :

@echo off
set kcdusername=myusername
set kcdpassword=mypassword
echo %kcdusername%
ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL

Once you have this script you must use to a CMD into your Domain Controller with sufficient right to launch it and set the service account.

You can check directly after if the configuration is correct.



On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).


Setup KCD into the Netscaler

After you configure the KCD account to your LDAP, you must configure AAA vserver. For this you must follow this step :
1 – add KCD account to the Netscaler

Screen Shot 2015-05-02 at 00.30.54

2 – Create a session policy (or Traffic policy bound globally)

First, setup the profile

Screen Shot 2015-05-02 at 00.33.08

Second, setup the policies :

Screen Shot 2015-05-02 at 00.33.24

3 – Configure your AAA vServer, in my example I using the same  I used for LDAP authentication. So you juste need to add your Session profile.

Screen Shot 2015-05-02 at 00.36.57
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression  !

Screen Shot 2015-05-02 at 00.39.55

Screen Shot 2015-05-02 at 00.41.03


You can use the following expression to match the URL :



Third configure your Loadbalancing Server

No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :

When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and unable to connect to your backend server after LDAP authentication :

Tue Apr 28 08:37:29 2015
nskrb.c[1239]: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist

Tue Apr 28 08:37:30 2015
nskrb.c[1299]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL

Tue Apr 28 08:37:30 2015
nskrb.c[1301]: ns_kgetcred krb5_get_creds returned –1765328371




Two thing to know for troubleshoot KCD to the Netscaler.

First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :

cat /tmp/aaaa.debug

Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :

cat /tmp/nskrb.debug

Netscaler ADC : Certificate authentication with AAA vserver

The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!

You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:

  1. Internal Root & Intermediate certification to instal on Netscaler
  2. Do not forget to bind them together (Root & intermediate)
  3. Which username does the user use to log in? (UserPrincipalName, other?)
  4.  Is this username present on the certificate?
  5. An Ip address (public) with its A record (public) for the vserver AAA provided for the authentification by certificate.
  6. The authentification by LDAP has already been configured? If no, start from there 🙂
  7. Finally, if you do your authentification with the UserPrincipalName for the certificate and you ask for SamAccountName in the LDAP, this won’t work. Therefore, it is possible that you will have to configure a specific policy for the LDAP so that it logs in with the right field.

Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.

Security - AAA - Policies > Authentication - Basic Policies - CERT

Create a new server with value :

Two Factor = On
User Name Field = Needs to correspond to the username present in the certificate

Create a simple policy :

Server = the server's name used before
Expression = ns_true

Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.

Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.

Single Sign On = On
Enable Persistent Cookie = Check (validate that you need them).


The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.

1 – The bind of LDAP and CERT :

They must be both configured in primary (CERT and LDAP) but with different priorities :
CERT = 100
LDAP1 = 110
LDAP2 = 120

2 – The root certificate bound to the AAA vserver :

In the CA Certificate part. Your root certificate must be bound at this place.

3 – The process to get the certificate for authentification :

Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.

Do not forget to configure the Client Certificate field in the SSL Parameters .

Client Certificate = Mandatory

Screen Shot 2015-04-21 at 00.24.15

If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.

Screen Shot 2015-04-21 at 00.22.24

For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :

cat /tmp/aaaa.debug