After implementing Kerberos Single Sign-on through NetScaler, you might notice that when multiple users access the AAA-TM protected IIS web server, the server displays each user as using the incorrect Kerberos ticket, or a ticket from a different Keytab.

To resolve this issue, complete any one of the following steps:

1. Modify IIS configuration - See Modify the AuthPersistence Metabase Entry Controls When Clients Are Authenticated for more information. If the "authPersistNonNTLM" setting is set to "false" then change it to "true" (which is the default value for Windows Server 2008+) and also change the setting "AuthPersistSingleRequest" to "true".

2. Disable connection multiplexing on NetScaler - See CTX124713 - Citrix NetScaler TCP Connection Management for more information on the concept and configuration.
   Note: Disabling multiplexing (TCP session reuse) on NetScaler side might impact performance.

Problem Cause

This is an IIS issue. Because of the way NetScaler reuses the open TCP sessions with the back end web server, IIS incorrectly caches a successfully authenticated Kerberos ticket and the issue occurs. IIS will (by default) link an established TCP socket with the Kerberos ticket presented for authentication.