Kerberos authentication fails through NetScaler vpn after upgrade to NetScaler 11
Article ID: CTX213691
Updated On:
Description
After NetScaler upgrade users were prompted again when connected to an SSL VPN and when connecting to internal resources.
Resolution
To solve this we added the below traffic policy and bound it to the Gateway:
add vpn trafficAction sso-disable http -SSO OFF -kcdAccount NONE
add vpn trafficPolicy sso-pol "REQ.HTTP.HEADER Authorization EXISTS && REQ.IP.DESTIP == xx.xx.xx.xx" sso-disable
Where xx.xx.xx.xx is the IP address of the backend server the client is trying to connect to.
This causes NetScaler to send another login prompt to the client
In SSL VPN sessions, client should be preforming all the SSO actions using the Kerberos ticket.
add vpn trafficAction sso-disable http -SSO OFF -kcdAccount NONE
add vpn trafficPolicy sso-pol "REQ.HTTP.HEADER Authorization EXISTS && REQ.IP.DESTIP == xx.xx.xx.xx" sso-disable
Where xx.xx.xx.xx is the IP address of the backend server the client is trying to connect to.
Problem Cause
NetScaler 11 seems to corrupt the Authorization header and failing to preform SSO actions.This causes NetScaler to send another login prompt to the client
In SSL VPN sessions, client should be preforming all the SSO actions using the Kerberos ticket.
Was this article helpful?
Yes
No
Powered by
