NetScaler not doing SSO to backend server when Kerberos KCD is configured using Traffic Policy
Article ID: CTX206073
Updated On:
Description
SSO to backend server fails when Kerberos KCD is configured using traffic policy on Netscaler. In this case customer was load balancing Microsoft Identity Manager 2010 on Netscaler. On client side after authenticating on the AAA page of NetScaler, customer is clicking on search button as shown below, but nothing happens and it stays on that screen:
Resolution
The fix for this issue is in 11.0-64.x Please upgrade to get the fix for this issue.
The fix for this issue is in 11.0-64.x Please upgrade to get the fix for this issue.
Below is from the release notes of 11.0-64.x to confirm the same:
===
https://download.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_64_34.html
Problem Cause
Issue is due to a bug in the SSO code in Netscaler build, where the frontend connection is going into Zero Window. Client is asking NetScaler to increase its window size but Netscaler never increases the window size. This causes the Netscaler to send the incomplete POST request to the backend server for which we never get reply and client also doesn’t get response.The fix for this issue is in 11.0-64.x Please upgrade to get the fix for this issue.
Below is from the release notes of 11.0-64.x to confirm the same:
===
https://download.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_64_34.html
Client traffic can slow down if ALL of the following conditions are satisfied:
- Single Sign-on (SSO) is ON.
- HTTP POST request is involved which requires to do SSO.
- NTLM authentication is needed to authenticate to back-end.
- Transferring large payload (greater than 2 MB).
- The back-end server is responding slow.
This issue is unlikely to occur if ANY ONE of the following conditions is satisfied:
- HTTP POST request Payload is in KBs.
- Back-end authentication method is non-NTLM ( such as AGBasic, Form-based SSO, and KCD).
- Non-HTTP POST request involved.
- SSO is not involved or disabled.
Workaround: Disable SSO for HTTP POST request.
[# 592982, 605622]
Additional Information
NetScaler trace captured in nonworking condition following points were observed:
Below is the POST request to backend:
POST /IdentityManagement/aspx/users/AllPersons.aspx HTTP/1.1
Accept: */*
Accept-Language: nl-BE,en-GB;q=0.5
Referer: https://xxx.xxx.com/IdentityManagement/aspx/users/AllPersons.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
ceAcpt-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: xxx.xxx.com
Content-Length: 22065
DNT: 1
Connection: Keep-Alive
Cookie: MSOWebPartPage_AnonymousAccessCookie=80; WSS_KeepSessionAuthenticated=80
Accept-Encoding: identity
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 12.0.0.6421
X-UA-Compatible: IE=EmulateIE7
X-FRAME-Options: SameOrigin
Date: Wed, 27 Jan 2016 09:28:55 GMT
Content-Length: 0
If we follow the stream and IP address of CS Vserver. Then scroll DOWN at the bottom on the wireshark trace we see Netscaler reducing the Window size to 416 bytes and then client complains of Zero window and asks Netscaler to increase Window size but Netscaler never increases the window size:
Now if we further check in nstrace, we will see that Netscaler is actually sending the POST request to backend server with Authorization:Negotiate header as shown below. But due to Zero window issue above we are not sending the complete data to backend as shown below:
Filter with backend server IP or follow the backend stream ( this will show the backend communiction after this zero window's are being sent by Netscaler)
In working nstrace if I compare this above POST request , we see the complete POST request as shown below:
<<<<<------- Here we see that we are passing more data to backend as compared to non working scenario shown above
Below is the response of above successful POST request:
Below is the POST request to backend:
POST /IdentityManagement/aspx/users/AllPersons.aspx HTTP/1.1
Accept: */*
Accept-Language: nl-BE,en-GB;q=0.5
Referer: https://xxx.xxx.com/IdentityManagement/aspx/users/AllPersons.aspx
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
ceAcpt-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: xxx.xxx.com
Content-Length: 22065
DNT: 1
Connection: Keep-Alive
Cookie: MSOWebPartPage_AnonymousAccessCookie=80; WSS_KeepSessionAuthenticated=80
Accept-Encoding: identity
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 12.0.0.6421
X-UA-Compatible: IE=EmulateIE7
X-FRAME-Options: SameOrigin
Date: Wed, 27 Jan 2016 09:28:55 GMT
Content-Length: 0
If we follow the stream and IP address of CS Vserver. Then scroll DOWN at the bottom on the wireshark trace we see Netscaler reducing the Window size to 416 bytes and then client complains of Zero window and asks Netscaler to increase Window size but Netscaler never increases the window size:
Now if we further check in nstrace, we will see that Netscaler is actually sending the POST request to backend server with Authorization:Negotiate header as shown below. But due to Zero window issue above we are not sending the complete data to backend as shown below:
Filter with backend server IP or follow the backend stream ( this will show the backend communiction after this zero window's are being sent by Netscaler)
In working nstrace if I compare this above POST request , we see the complete POST request as shown below:
<<<<<------- Here we see that we are passing more data to backend as compared to non working scenario shown aboveBelow is the response of above successful POST request:
Was this article helpful?
Yes
No
Powered by
