Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)

I wrote a manual how you can realize a Single Sign on Solution with Kerberos KCD and NetScaler. It's possible to restrict the user delegation to certain services/protocols on a server.
You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation.
This will be an extra post.

Let's start with creating a KCD account.

1. Create KCD Accounts

Create KCD Account in AD

Password never expires should be chosen

1.1   Enable the delegation tab for this user

You can activate it with setspn (It is available if you have the Active Directory Domain Services (AD DS) server role installed)Needs to be run from an elevated command promptsetspn -A host/KCDTest@simon.ns simon\KCDTest

1.2 Choose the delegation option

Here you need to chose "Trust this user for delegation to specified services only"

and also "use any authentication protocol".

Press add and enter the name of your Web Server.

As service you need to choose http.

After this step, export the keytab file
Use following command to do this:
ktpass /princ http/KCDTest@simon.NS /ptype KRB5_NT_PRINCIPAL /mapuser simon\KCDTest /pass Start123 -out C:kcdneu2.keytab

Once the command was run copy the keytabfile to Netscaler: nsconfig/krb. For Example with Filezilla or any other program.

 1.3 Konfigure IIS

Disable everything except “Windows Authentication”

On  the right side choose advanced settings and disable “Kernel-mode authentication”

After this choose also on the right side the advanced settings:

Remove the default providers and choose: Negotiate Kerberos


Create a KCD Account
Go to  Security AAA Application Traffic – KCD Accounts – Add

Chose the option Use keytab file. Chose the file you created before

1.5 Create lbsvc

Go to Traffic Management – Load Balancing – Services – press add

Add your webserver and choose http as protocol.
Double klick your created service and edit the settings. You need to activate "Surge Protection".

1.6 Create lb_vs

Go to Traffic management – Load Balancing – virtual Server – klick add
As Protocol, choose SSL,

double click the load balancing vserver and add the created lb service under load balancing virtual server service binding.

Go to SSL Parameters - Enable client auth

Set client cert to mandatory

Set client cert to "mandatory".

Under certificates install a Server and a CA Certificate.

1.8 Create AAA VS

Go to Security AAA Aplication Traffic – Virtual Servers

After double klick the Auhentication virtual Server.

Add certificates 1 Server Certificate and 1 CA Certificate.

 Under Basic Authentication create a policie 

 Add a server and disable two factor 

Add ns true as expression

1.9 Add form based virtual server

Chose your previously generated load balancing virtual server

Under SSL Parameters enable Client Authentication and set client certificate to "mandatory"

 Under policy create a Session Policy

 Click create your Request Profile under Session Policy

Under Override Global check all boxes except the Home Page box.

Under KCD Account choose your previously created Account
As expression write ns_true

Go to Security – AAA Application Traffic – Authentication Profile

Add a Profile

 As Authentication vitual Server chose your AAA Server

After you created your authentication profile go to your load balancing virtual server and go to authentication

Choose Form Based Authentication and as Authentication Profile you need to chose your created authentication profile

2.0 Host entries on the Client

Open notepad as administrator and navigate to your hostfile C:\Windows\System32\drivers\etc
You need two host entries on your client. One is to the load balancing virtual server with the host entry you want to reach your site
The second entry is for your AAA Server

2.1 Create Client Certificate

Go to NetScaler - Traffic Management and then click SSL, under SSL chose the Client Certificate Wizard:

Click the Create RSA Key link. The Create RSA Key dialog box is displayed, as shown in the following screen shot. Specify the appropriate values for the various fields.
Note: The screen shot displays the sample values for your reference.

Click the Create Certificate Request link. The Create Certificate Request dialog box is displayed. Specify appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure to select the PEM key format. This enables you to export the certificate request to a PKCS12 file.

Click Create

The Create Certificate dialog box is displayed. Specify the appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure that you select the appropriate files you have created in the preceding steps.

Click create

in the Certificate File Name and Key File Name fields, click Browse to locate and select the certificate RSA key files, respectively

then click create.
Export the certificate to you client.

Go to mmc – click personal – all tasks – import and chose your client certificate. Import the client certificate

 It is very!! Important that the User Name stands in the certificate otherwise it wont work

After importing the certificate test your host entry on the client. In our case it is kcdtest.simon.ns If everything works, you should be redirected without entering your credentials 


Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

How to: Create a Client Certificate for LDAPS with OpenSSL