Netscaler Traffic Policy - 407 Proxy Authentication fails. Netscaler sends ‘NETSCALER’ as Domain instead of the configured domain under VPN Session Action.
Article ID: CTX219351
Updated On:
Description
Issue: 407 Authentication to proxy server fails
Take an NetScaler trace and verify domain suffix being sent by the NetScaler. If sending ‘NETSCALER’ in the captures instead of the one configured/required ( ZGKB ).
Resolution
1. Where user enters only sAMAccountName but we would like to use ntDomain setting, we need to run this knob: ns_sso_ntlm_use_ntdomain
This is done for backward compatibility as their many customers using NTLM in the current setup.
We need to run this from netscaler shell (nsapimgr_wr.sh –ys call=ns_sso_ntlm_use_ntdomain).
NOTE: This custom /nsapimgr based commands does not persist a NS System restart, so we need to add the same under Netscaler > /nsocnfig/rc.netscaler file for it to persist a system restart.
2. Verify the Sesion Policy as per the following
add vpn sessionAction AC_AG_PLG_10.104.22.10_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://x.test.com:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -ntDomain test.com -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://x.test.com:8443"
Here’s how it works!
User enters domain\username in netscaler login page
Netscaler uses username and domain that user entered during NTLM SSO
User enters sAMAccountName
Netscaler uses only username in NTLM. It picks domain from type2 of the server. If server does not send anything, it uses default NETSCALER
If user enters UPN, netscaler uses UPN with empty domain field.
This is done for backward compatibility as their many customers using NTLM in the current setup.
We need to run this from netscaler shell (nsapimgr_wr.sh –ys call=ns_sso_ntlm_use_ntdomain).
NOTE: This custom /nsapimgr based commands does not persist a NS System restart, so we need to add the same under Netscaler > /nsocnfig/rc.netscaler file for it to persist a system restart.
2. Verify the Sesion Policy as per the following
add vpn sessionAction AC_AG_PLG_10.104.22.10_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://x.test.com:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -ntDomain test.com -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://x.test.com:8443"
Problem Cause
If the user authrnticates using “sAMAccountName”, Netscaler sends only username suffix without sending domain which is expected.Here’s how it works!
User enters domain\username in netscaler login page
Netscaler uses username and domain that user entered during NTLM SSO
User enters sAMAccountName
Netscaler uses only username in NTLM. It picks domain from type2 of the server. If server does not send anything, it uses default NETSCALER
If user enters UPN, netscaler uses UPN with empty domain field.
Issue/Introduction
Netscaler Traffic Policy - 407 Proxy Authentication fails. Netscaler sends ‘NETSCALER’ as Domain instead of the configured domain under VPN Session Action.
Was this article helpful?
Yes
No
Powered by
