Netscaler Kerberos authentication with multiple UPN in AD
Article ID: CTX220260
Updated On:
Description
We are trying to configure Kerberos authentication on Netscaler. Our AD domain is example.com and have multiple UPN configured in our Active Directory. If we are testing to authenticate a user with an UPN with @example.com it's working. If we are testing to authenticate a user with an UPN not matching the AD domain it's not working.
During the nskrb kgetcred, Netscaler is returing the following error: kgetcred: krb5_get_creds: KDC policy rejects request.
Instructions
- Use the realm as the default domain and can use the alternate UPN suffix to logon on the front end.The LDAP authentication on frontend will work, as it will look for the entire AD and find the user.
- For the backend Kerberos authentication it will append the default domain to the username and then use the service account to obtain tickets for the user.
- At any point the saMAccountName(pre-windows 2000 user name) and the UPN (user logon name) should match. Otherwise you will get a Kerberos error stating that the client could not be found in the database.
Additional Information
Even though you have alternative UPN suffix it is a feature of AD but the real Kerberos principal name will still be samAccountName.
So you can map an alternate UPN to the user in AD and get the Kerberos delegation work. But your User logon name attribute and samAccountName (User logon name pre-windows 2000) must match.
If you have a domain “example.com” and then an alternative suffix of “example.net” then you can mentioned the domain “example.com” as your realm and then change the UPN suffix for user to “example.net” and it will work.
What happens during the Kerberos SSO is that NS will append the realm “example.com” to the user and then get a TGT and TGS from the delegated user account.
I have a user named “test” who has an alternative suffix “example.net” for which front end authentication is LDAP and I can see the below in aaa debug :
receive_ldap_bind_event User name: dirty = <test@example.net> sanitized = <test@example.net>
ns_ldap_search Searching for <<(& (userPrincipalName=test@example.net) (objectClass=*))>> from base <<dc=example,dc=com>>
receive_ldap_user_search_event received LDAP_OK
receive_ldap_user_search_event User DN= <<CN=test 1,CN=Users,DC=example,DC=com>>
extract_ldap_attribute retrieved userPrincipalName value test@example.net for test@example.net
send_accept sending accept to kernel for : test@example.net
Then later when Kerberos SSO happens in the backend I see :
ns_process_kcd_req username is test
ns_process_kcd_req realm is EXAMPLE.COM
ns_process_kcd_req svc is sf.example.com
ns_process_kcd_req delegated_user len is 10 value is deligator
ns_process_kcd_req user non-enterprise username test@EXAMPLE.COM >> Here we are appending the realm configured in KCD account settings to the username
ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_deligator_EXAMPLE.COM
ns_process_kcd_req delegated cachename is /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_process_kcd_req tgs cachename is /var/krb/tgs_test_EXAMPLE.COM_sf.example.com_EXAMPLE.COM
s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM does not contain ticket for deligator@EXAMPLE.COM
ns_kgetcred krb5_get_creds returned 0, svcname deligator@EXAMPLE.COM, impersonate str test@EXAMPLE.COM, deleg NULL outcache /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_kgetcred successfully written credentials to cache file /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_process_kcd_req service name for s4u2proxy is HTTP/sf.example.com@EXAMPLE.COM
ns_kgetcred krb5_get_creds returned 0, svcname HTTP/sf.example.com@EXAMPLE.COM, impersonate str NULL, deleg /var/krb/s4u_test_EXAMPLE.COM_deligator_ EXAMPLE.COM outcache /var/krb/tgs_test_EXAMPLE.COM_sf.example.com_ EXAMPLE.COM
ns_serialize_creds client name in creds: test@EXAMPLE.COM
ns_serialize_creds server name in creds:len 25 HTTP/sf.example.com@EXAMPLE.COM
So you can map an alternate UPN to the user in AD and get the Kerberos delegation work. But your User logon name attribute and samAccountName (User logon name pre-windows 2000) must match.
If you have a domain “example.com” and then an alternative suffix of “example.net” then you can mentioned the domain “example.com” as your realm and then change the UPN suffix for user to “example.net” and it will work.
What happens during the Kerberos SSO is that NS will append the realm “example.com” to the user and then get a TGT and TGS from the delegated user account.
I have a user named “test” who has an alternative suffix “example.net” for which front end authentication is LDAP and I can see the below in aaa debug :
receive_ldap_bind_event User name: dirty = <test@example.net> sanitized = <test@example.net>
ns_ldap_search Searching for <<(& (userPrincipalName=test@example.net) (objectClass=*))>> from base <<dc=example,dc=com>>
receive_ldap_user_search_event received LDAP_OK
receive_ldap_user_search_event User DN= <<CN=test 1,CN=Users,DC=example,DC=com>>
extract_ldap_attribute retrieved userPrincipalName value test@example.net for test@example.net
send_accept sending accept to kernel for : test@example.net
Then later when Kerberos SSO happens in the backend I see :
ns_process_kcd_req username is test
ns_process_kcd_req realm is EXAMPLE.COM
ns_process_kcd_req svc is sf.example.com
ns_process_kcd_req delegated_user len is 10 value is deligator
ns_process_kcd_req user non-enterprise username test@EXAMPLE.COM >> Here we are appending the realm configured in KCD account settings to the username
ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_deligator_EXAMPLE.COM
ns_process_kcd_req delegated cachename is /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_process_kcd_req tgs cachename is /var/krb/tgs_test_EXAMPLE.COM_sf.example.com_EXAMPLE.COM
s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM does not contain ticket for deligator@EXAMPLE.COM
ns_kgetcred krb5_get_creds returned 0, svcname deligator@EXAMPLE.COM, impersonate str test@EXAMPLE.COM, deleg NULL outcache /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_kgetcred successfully written credentials to cache file /var/krb/s4u_test_EXAMPLE.COM_deligator_EXAMPLE.COM
ns_process_kcd_req service name for s4u2proxy is HTTP/sf.example.com@EXAMPLE.COM
ns_kgetcred krb5_get_creds returned 0, svcname HTTP/sf.example.com@EXAMPLE.COM, impersonate str NULL, deleg /var/krb/s4u_test_EXAMPLE.COM_deligator_ EXAMPLE.COM outcache /var/krb/tgs_test_EXAMPLE.COM_sf.example.com_ EXAMPLE.COM
ns_serialize_creds client name in creds: test@EXAMPLE.COM
ns_serialize_creds server name in creds:len 25 HTTP/sf.example.com@EXAMPLE.COM
Was this article helpful?
Yes
No
Powered by
