How does Negotiate authentication work on an AAA-TM vServer for External Clients?

How does Negotiate authentication work on an AAA-TM vServer for External Clients?

book

Article ID: CTX222568

calendar_today

Updated On:

Description

How does Negotiate authentication work on an AAA-TM vServer for External Clients?

CTX222386 discusses how internal clients are authenticated through an AAA vServer that uses the Negotiate authentication method. However, if the user is not able to reach the KDC to obtain a ticket to present to the AAA vserver, the Negotiate method will need to provide a fallback to NTLM. Below is an outline of the process.
  1. When a client is not able to reach the KDC, such as a client that is not on the domain, they will be sent the same 401 Unauthorized response offering Negotiate or NTLM.
    • Stage 1
  2. The client will opt for NTLM as it cannot use Negotiate. The Negotiate Server configuration on the NetScaler includes an NTLM Path for such an occasion. The NetScaler makes a GET request for the resource hosted on this path. The path points to a webpage hosted either on the same or a different web server that accepts NTLM authentication. The web server responds with the NTLM challenge and the NetScaler forwards this to the client.
    • Stage 2
  3. At this point the client is prompted for their credentials. The NetScaler forwards these to the web server provided in the NTLM path. If successful, the web server will return a HTTP 200 OK response to the NetScaler.
    • Stage 3
  4. The NetScaler uses this response to initiate its GET request to the original web server that the client wishes to access. The web server replies with a negotiate authentication response and the NetScaler then contacts the KDC for a ticket in the same manner as before, using the KCD account.
    • Stage 4

Take a look at the following flow chart for this process:

Negotiate External Flow Chart
In this flow, the NetScaler is contacting the KDC after we purged tickets on the KDC, and the NetScaler.
  1. The client makes a GET request to the LB vServer. The LB vServer contacts the AAA vServer.
  2. The AAA vServer is configured with a Negotiate policy and therefore returns a 401 unauthorized back to the client. It offers the client two choices for authentication; Negotiate or NTLM.
  3. The client is obviously not able to reach the KDC as it is external, therefore they respond with another GET request and specify to use NTLM authentication.
  4. This triggers the NetScaler to send a GET request to the web server that is configured as the NTLM path in the Negotiate policy. The NetScaler sends a GET request for the specified resource in that path, and specifies that it wishes to use NTLM authentication.
  5. The NTLM web server returns a 401 challenge.
  6. The NetScaler passes this challenge to the client. At this point, the client is prompted to enter their username, domain and password.
  7. The client sends their credentials in UPN format to the NetScaler.
  8. The NetScaler responds to the NTLM web server with the same credentials in UPN format.
  9. The NTLM web server returns a 200 OK if the credentials are valid.
  10. This triggers the NetScaler to then make a GET request for the original web server that is load balanced by the TM vServer.
  11. The web server returns a 401 Unauthorized and offers Negotiate or NTLM authentication.
  12. At this point the NetScaler authenticates to the KDC using its KCD user account.
  13. The NetScaler now requests a TGS ticket for the http service on that web server from the KDC, on behalf of the client, using its KCD user credentials.
  14. When the NetScaler receives the ticket, it makes another GET request and sends the ticket to the web server.
  15. The web server replies with a 200 OK and this is sent back to the client, allowing them to access the web server.

Issue/Introduction

This article outlines the process of authenticating an external user using the Negotiate AAA authentication method.

Additional Information

Powered by Wolken Software