Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)
I wrote a manual how you can realize a Single Sign on Solution with Kerberos KCD and NetScaler. It's possible to restrict the user delegation to certain services/protocols on a server.
You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation.
This will be an extra post.
Let's start with creating a KCD account.
1.1
Enable the delegation tab for this user
Disable everything
except “Windows Authentication”
Remove the default providers and choose: Negotiate Kerberos
Go to SSL Parameters -
Enable client auth
Set client cert to "mandatory".
After double klick the
Auhentication virtual Server.
Under Basic Authentication create a policie
Add a server and
disable two factor
Under policy create a Session Policy
Click create your Request Profile under Session Policy
Under Override Global
check all boxes except the Home Page box.
Go to Security – AAA
Application Traffic – Authentication Profile
As Authentication
vitual Server chose your AAA Server
It is very!! Important
that the User Name stands in the certificate otherwise it wont work
You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation.
This will be an extra post.
Let's start with creating a KCD account.
1. Create KCD Accounts
Create KCD Account in
AD
Password never expires
should be chosen
1.1
Enable the delegation tab for this user
You can activate it with setspn (It is available if you have the
Active Directory Domain Services (AD DS) server role installed)Needs to be run from an elevated command
promptsetspn -A host/KCDTest@simon.ns simon\KCDTest
1.2 Choose the delegation option
Here you need to chose "Trust this
user for delegation to specified services only"
and also "use any authentication
protocol".
Press add and enter the name of your Web Server.
As service you need to
choose http.
After this step,
export the keytab file
Use following command
to do this:
ktpass /princ http/KCDTest@simon.NS /ptype
KRB5_NT_PRINCIPAL /mapuser simon\KCDTest /pass Start123 -out C:kcdneu2.keytab
Once the command was
run copy the keytabfile to Netscaler: nsconfig/krb. For Example with Filezilla or any other program.
1.3 Konfigure IIS
On the right side choose advanced settings and
disable “Kernel-mode authentication”
After this choose also
on the right side the advanced settings:
Remove the default providers and choose: Negotiate Kerberos
1.4 NETSCALER KONFIG
Create a KCD Account
Go to Security AAA Application Traffic – KCD
Accounts – Add
Chose the option Use
keytab file. Chose the file you created before
1.5 Create lbsvc
Go to Traffic
Management – Load Balancing – Services – press add
Add your webserver and
choose http as protocol.
Double klick your
created service and edit the settings. You need to activate "Surge Protection".
1.6 Create lb_vs
Go to Traffic
management – Load Balancing – virtual Server – klick add
As Protocol, choose SSL,
double click the load
balancing vserver and add the created lb service under load balancing virtual
server service binding.
Set client cert to mandatory
Under certificates
install a Server and a CA Certificate.
1.8 Create AAA VS
Go to Security AAA
Aplication Traffic – Virtual Servers
Add certificates 1 Server Certificate and 1 CA
Certificate.
Add ns true as expression
1.9 Add form based virtual server
Chose your previously
generated load balancing virtual server
Under SSL Parameters
enable Client Authentication and set client certificate to "mandatory"
Click create your Request Profile under Session Policy
Under KCD Account
choose your previously created Account
As expression write ns_true
Add a Profile
After you created your
authentication profile go to your load balancing virtual server and go to
authentication
Choose Form Based
Authentication and as Authentication Profile you need to chose your created
authentication profile
2.0 Host entries on the Client
Open notepad as
administrator and navigate to your hostfile C:\Windows\System32\drivers\etc
You need two host
entries on your client. One is to the load balancing virtual server with the host
entry you want to reach your site
The second entry is
for your AAA Server
2.1 Create Client Certificate
Go to NetScaler - Traffic Management and then click SSL, under SSL chose the Client Certificate Wizard:
Click the Create
RSA Key link. The
Create RSA Key dialog box is displayed, as shown in the following screen shot.
Specify the appropriate values for the various fields.
Note: The screen shot displays the sample values for your reference.
Note: The screen shot displays the sample values for your reference.
Click the Create
Certificate Request link.
The Create Certificate Request dialog box is displayed. Specify appropriate
values for the various fields. The screen shot displays the sample values for
your reference. Ensure to select the PEM key format. This enables you to export
the certificate request to a PKCS12 file.
Click Create
The Create
Certificate dialog box is displayed. Specify the
appropriate values for the various fields. The screen shot displays the sample
values for your reference. Ensure that you select the appropriate files you
have created in the preceding steps.
Click create
in the Certificate
File Name and Key
File Name fields,
click Browse to locate
and select the certificate RSA key files, respectively
then click create.
Export the certificate
to you client.
Go to mmc – click
personal – all tasks – import and chose your client certificate. Import the client certificate
After importing the
certificate test your host entry on the client. In our case it is
kcdtest.simon.ns If everything works, you should be redirected
without entering your credentials
Comments
Post a Comment