I will tried to give some key point you must to accomplish to configure your Netscaler. KCD for Kerberos Constraint Delegation can authenticate your user using service account to deliver TGT. This TGT will be use for SSO and to authenticate the user to the backend server (e.g. : Exchange or web server).
Prepare Netscaler and Service Account
To start this configuration some prerequisite must be implement before you start configuration :
- NTP server must be set to synchronise time from the PDC
- DNS resolution must be implement
- LDAP authentication must be also setup on a AAA vserver
- KCD Service Account
This Service Account must be correctly configure.
Create your service account like normal user using Active Directory tool. Once your user is setup you must configure the SPN and generate keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the simple way to setup KCD on the Netscaler.
Script like this (.bat) can be generate by the Netscaler in KCD tab :
@echo off set kcdusername=myusername set kcdpassword=mypassword echo %kcdusername% ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL
Once you have this script you must use to a CMD into your Domain Controller with sufficient right to launch it and set the service account.
You can check directly after if the configuration is correct.
On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).
Setup KCD into the Netscaler
After you configure the KCD account to your LDAP, you must configure AAA vserver. For this you must follow this step :
1 – add KCD account to the Netscaler
2 – Create a session policy (or Traffic policy bound globally)
First, setup the profile
Second, setup the policies :
3 – Configure your AAA vServer, in my example I using the same I used for LDAP authentication. So you juste need to add your Session profile.
You can use the following expression to match the URL :
Third configure your Loadbalancing Server
No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :
When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and unable to connect to your backend server after LDAP authentication :
Tue Apr 28 08:37:29 2015 nskrb.c: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist Tue Apr 28 08:37:30 2015 nskrb.c: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/10.10.10.100@MYDOMAIN.LOCAL, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL Tue Apr 28 08:37:30 2015 nskrb.c: ns_kgetcred krb5_get_creds returned –1765328371
Two thing to know for troubleshoot KCD to the Netscaler.
First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :
shell cat /tmp/aaaa.debug
Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :
shell cat /tmp/nskrb.debug