How to Configure NetScaler Gateway for Kerberos Constrained Delegation

book

Article ID: CTX236593

calendar_today

Updated On:

Description

What if the user does not send their credentials to the NetScaler?

This is where we need to use Kerberos Constrained Delegation.
This is trickier to set up as it involves the following:

A NetScaler user account setup on the AD that will act as the KCD user.
Create http Service Principal Name for the LB vServer URL, associated with the NetScaler account, using the setspn tool.
Delegate control of http on the target webserver to the NetScaler account.
Either create a keytab file and upload it to the NetScaler to add the KCD account or manually enter the KCD username and password details.

Instructions

1. Create the NetScaler user account in Active Directory:
User-added image

2.      Use the following commands to add SPN for the NetScaler Gateway vServer:
setspn –A http/<NetScaler Gateway fqdn> <domain\Kerberos user>
3.      Confirm the SPNs for the Kerberos user with the command:
    setspn –l <Kerberos user>
4.      In the example below, I have added the SPN for the NetScaler Gateway vServer that I want the KCD account to be able to access.
User-added image

Check for any duplicate entries now as this will cause problems later.
setspn -X
5. Notice the ‘Delegate’ tab appears after we ran the setspn. Choose ‘Trust this user for delegation to specified services only’ option, and ‘Use any authentication protocol’. Add the web server and select the http service.
User-added image

6. Create a KCD Account for the NetScaler user. Here we opted to do this manually, but you can create a keytab file.

NOTE: If you are using alternate domains (Internal domain and external domain) then you must set the Service SPN to HTTP/PublicFQDN.com@InternalDomain.ext
Realm - Kerberos Realm. Usually your Internal Domain suffix.
User Realm - This is your user's Internal Domain suffix.
Enterprise Realm - This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name
Delegated User - This is the NetScaler user account for KCD you created in AD in the prior steps; Ensure the password is correct.

7. Ensure the Session Profile for NetScaler Gateway vServer is using the right KCD account. Also enable SSO to web applications.
User-added image

Additional Information

CTX221693 - What is the difference between Negotiate and NTLM authentication?
CTX221696 - How does the NetScaler use Kerberos for Single Sign On?
CTX222453 - How to Configure the NetScaler for Kerberos Impersonation
CTX222386 - How does Negotiate authentication work on an AAA-TM vServer for Internal Clients?
CTX222568 - How does Negotiate authentication work on an AAA-TM vServer for External Clients?
CTX222443 - How does Client Certificate Authentication work with KCD Single Sign On?
CTX222444 - How does LDAP Authentication work with Kerberos Impersonation SSO?
CTX236593 - Another guide on How to configure NetScaler for KCD
CTX140575 - Detailed guide in PDF form on configuring NetScaler for KCD
CTX223494 - nskrb.debug is Blank

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"