This article describes how to disable Single Sign-On in NetScaler.

Background

In XenMobile, in some use cases the app may want to perform NTLM authentication of a user that was not used during enrollment. In such situation, the app uses Full Tunnel mode and so would like to send the credentials itself. If Single Sign-On (SSO) is ON in NetScaler, then the NetScaler will try to perform the authentication using the enrolled user credentials when the backed server asks for credentials. However, that is not what we want in this use case. So, we will need to disable SSO in NetScaler so that the app can provide the credentials and complete the NTLM authentication.


 

Instructions

Complete the following steps to disable Single Sign-On in NetScaler:

1. Login to NetScaler administrative access website.

2. Go to NetScaler Gateway > Policies > Traffic and click Traffic Profiles tab.

   

3. Click Add button. In the Create Traffic Profile screen, provide a Profile name and set Single Sign-On to OFF for HTTP protocol. Click Create button at the bottom of the screen.

   

4. After the profile is created, go to the Traffic Policies tab and click Add button.

   

5. Provide a Name to Traffic policy, then select the traffic profile and click the Expression Editor.

   

6. In the Expression Editor, select Qualifier as HEADER , Operator as Contains, Value as the IP of the web service machine, and Header Name as Host and then click Done button.

   

7. After that you will see the expression to the policy as shown below:

   

8. Now bind the Traffic policy to virtual server. To do this go to Virtual Servers and click the virtual server listed.

   

9. We see the VPN Virtual Server information page. Click the SSL Policies on the right or scroll to Policies.

   

10. Click the + (Plus) button in the Policies section.

    

11. Select Choose Policy type as Traffic and click Continue.

    

12. Click the Select Policy button under Policy Binding.

    

13. Select the Traffic Policy and click Select button.

    

14. Click the Bind button.

    

15. This will bind the Traffic policy that has SSO off for the request having Host IP as specified in the Host field of the header. The policies section will show the additional Traffic Policy that we added.