This article contains information about the troubleshooting tips of Kerberos authentication.

Background

The Kerberos authentication protocol provides a mechanism for authentication between a client and a server, or between one server and another server. The Kerberos Key Distribution Center (KDC) uses the domain’s Active Directory service database as its security account database. Active Directory (AD) is required for default NTLM and Kerberos implementations. On the NetScaler, Kerberos authentication is only available for Authentication, Authorization, and Auditing (AAA) Traffic Management Virtual Servers.

Requirements

• Knowledge of configuring Kerberos on Netscaler.

• Administrator rights to access the AD server and NetScaler.

Troubleshooting Tips

• Verify that the keytab file is linked. This file needs to be created on AD. Load the same file onto the NetScaler.

  A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. When you change your Kerberos password, you must recreate all your keytabs.

  root@ns # cd /etc
  root@ns # ls -ail kr*
  21802 lrwxr-xr-x 1 root wheel 27 Apr 25 06:27 krb5.conf ->
  /var/nslw.bin/etc/krb5.conf
  21803 lrwxr-xr-x 1 root wheel 29 Apr 25 06:27 krb5.keytab ->
  /var/nslw.bin/etc/krb5.keytab

• Verify that the ktutil performed as expected by showing the service principal in the “list” command. You can use the “list” command to list the contents of a keytab file. The output contains two columns listing version numbers and principal names

  Example:

  version_number username@domain-name
  root@ns # ktutil
  ktutil:rkt /etc/krb5.keytab
  ktutil:list
  1 1 dummy@DUMMY.COM
  2 4 " target="_blank">HTTP/Kerberos.example.lab.net@example.lab.net
  3 5 HTTP/kerberos.example.lab.net@example.lab.net

• Verify that the NetScaler is resident in the list of computers on the AD. You can verify this on AD by navigating to, Active Directory Users and Computers > Domain name (example.lab.net) > Computers.

• Verify that the NetScaler has joined the domain.

  root@ns # cd /opt/likewise/bin
  root@ns # lw-get-current-domain
  Current Domain = Example.lab.net
  If necessary, try forcing the NetScaler to join the domain.
  root@ns # cd /opt/likewise/bin
  root@ns # domainjoin-cli join example.lab.net kerbuser

• Verify the status of the NetScaler lwagent process.

  root@ns # cd /opt/likewise/bin
  root@ns # lw-get-status

• Verify the LSA Server Status:

  Compiled daemon version: 5.0.0.0
  Packaged product version: 5.4.0.56255
  Uptime:0 days 0 hours 27 minutes 25 seconds
  [Authentication provider: lsa-activedirectory-provider]
  Status:Online
  Mode:Un-provisioned
  Domain:example.lab.net
  Forest:example.lab.net
  Site:Default-First-Site-Name
  Online check interval: 300 seconds
  [Trusted Domains: 1]
  [Domain: example]
  DNS Domain:example.lab.net
  Netbios name:example
  Forest name:example.lab.net
  Trustee DNS name:
  Client site name: Default-First-Site-Name
  Domain SID:S-1-5-21-3661025885-3787533157-3708367370
  Domain GUID:fea9c1a6-a6ad-7e4c-ae7c-458273b13864
  Trust Flags:[0x001d]
  [0x0001 - In forest]
  [0x0004 - Tree root]
  [0x0008 - Primary]
  [0x0010 - Native]
  Trust type:Up Level
  Trust Attributes:[0x0000]
  Trust Direction:Primary Domain
  Trust Mode:In my forest Trust (MFT)
  Domain flags:[0x0001]
  [0x0001 - Primary]
  [Domain Controller (DC) Information]
  DC Name:AD-DNS.example.lab.net
  DC Address:10.217.147.246
  DC Site:Default-First-Site-Name
  DC Flags:[0x000013fd]
  DC Is PDC:yes
  DC is time server:yes
  DC has writeable DS:yes
  DC is Global Catalog:yes
  DC is running KDC:yes
  [Authentication provider: lsa-local-provider]
  Status:Online
  Mode:Local system

• Verify that the NetScaler is syncing with the AD every minute.

  root@ns # cat /tmp/aaad.debug
  Mon Apr 25 11:04:02 2012
  lwagent.c[1107]: main EV_DEBUG: handle time out
  Mon Apr 25 11:04:02 2012
  lwagent.c[964]: lw_authenticate_user LWAGENT: Trying to authenticate user kerbuser@example.lab.net...
  Mon Apr 25 11:04:02 2012
  lwagent.c[975]: lw_authenticate_user LWAGENT: Successfully authenticated user kerbuser@example.lab.net
  If not, try restarting the lwagent process.
  root@ns # cd /opt/likewise/bin
  root@ns # nslw.sh stop
  root@ns # nslw.sh start

• Following is a list of logs to capture when working on Kerberos issues:

  - trace on the ns box (nstrace.sh)
  - /var/log/messages
  - /var/log/ns.log
  - output of `cat /tmp/aaad.debug`
  - output of `ls /tmp/`
  - sh aaa session

Additional Resources

CTX129314 - How to Configure Kerberos Authentication on a NetScaler Appliance

CTX139133 - Kerberos SSO on NetScaler 10.1 120.13 through Kerberos Constrained Delegation or Impersonation

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

This article contains information on troubleshooting tips of Kerberos authentication.