Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)

I wrote a manual how you can realize a Single Sign on Solution with Kerberos KCD and NetScaler. It's possible to restrict the user delegation to certain services/protocols on a server.
You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation.
This will be an extra post.

Let's start with creating a KCD account.


1. Create KCD Accounts

Create KCD Account in AD


Password never expires should be chosen

1.1   Enable the delegation tab for this user

You can activate it with setspn (It is available if you have the Active Directory Domain Services (AD DS) server role installed)Needs to be run from an elevated command promptsetspn -A host/KCDTest@simon.ns simon\KCDTest





1.2 Choose the delegation option


Here you need to chose "Trust this user for delegation to specified services only"

and also "use any authentication protocol".

Press add and enter the name of your Web Server.







As service you need to choose http.


After this step, export the keytab file
Use following command to do this:
ktpass /princ http/KCDTest@simon.NS /ptype KRB5_NT_PRINCIPAL /mapuser simon\KCDTest /pass Start123 -out C:kcdneu2.keytab






Once the command was run copy the keytabfile to Netscaler: nsconfig/krb. For Example with Filezilla or any other program.

 1.3 Konfigure IIS





Disable everything except “Windows Authentication”


On  the right side choose advanced settings and disable “Kernel-mode authentication”


After this choose also on the right side the advanced settings:

Remove the default providers and choose: Negotiate Kerberos


1.4 NETSCALER KONFIG

Create a KCD Account
Go to  Security AAA Application Traffic – KCD Accounts – Add

Chose the option Use keytab file. Chose the file you created before



1.5 Create lbsvc

Go to Traffic Management – Load Balancing – Services – press add


Add your webserver and choose http as protocol.
Double klick your created service and edit the settings. You need to activate "Surge Protection".



1.6 Create lb_vs

Go to Traffic management – Load Balancing – virtual Server – klick add
As Protocol, choose SSL,



double click the load balancing vserver and add the created lb service under load balancing virtual server service binding.




Go to SSL Parameters - Enable client auth

Set client cert to mandatory







Set client cert to "mandatory".

Under certificates install a Server and a CA Certificate.




1.8 Create AAA VS



Go to Security AAA Aplication Traffic – Virtual Servers




After double klick the Auhentication virtual Server.

Add certificates 1 Server Certificate and 1 CA Certificate.




 Under Basic Authentication create a policie 




 Add a server and disable two factor 


Add ns true as expression


1.9 Add form based virtual server



Chose your previously generated load balancing virtual server


Under SSL Parameters enable Client Authentication and set client certificate to "mandatory"



 Under policy create a Session Policy





 Click create your Request Profile under Session Policy





Under Override Global check all boxes except the Home Page box.

Under KCD Account choose your previously created Account
As expression write ns_true



Go to Security – AAA Application Traffic – Authentication Profile

Add a Profile





 As Authentication vitual Server chose your AAA Server


After you created your authentication profile go to your load balancing virtual server and go to authentication


Choose Form Based Authentication and as Authentication Profile you need to chose your created authentication profile

2.0 Host entries on the Client

Open notepad as administrator and navigate to your hostfile C:\Windows\System32\drivers\etc
You need two host entries on your client. One is to the load balancing virtual server with the host entry you want to reach your site
The second entry is for your AAA Server




2.1 Create Client Certificate


Go to NetScaler - Traffic Management and then click SSL, under SSL chose the Client Certificate Wizard:

Click the Create RSA Key link. The Create RSA Key dialog box is displayed, as shown in the following screen shot. Specify the appropriate values for the various fields.
Note: The screen shot displays the sample values for your reference.



Click the Create Certificate Request link. The Create Certificate Request dialog box is displayed. Specify appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure to select the PEM key format. This enables you to export the certificate request to a PKCS12 file.



Click Create

The Create Certificate dialog box is displayed. Specify the appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure that you select the appropriate files you have created in the preceding steps.


Click create



in the Certificate File Name and Key File Name fields, click Browse to locate and select the certificate RSA key files, respectively

then click create.
Export the certificate to you client.

Go to mmc – click personal – all tasks – import and chose your client certificate. Import the client certificate




 It is very!! Important that the User Name stands in the certificate otherwise it wont work





After importing the certificate test your host entry on the client. In our case it is kcdtest.simon.ns If everything works, you should be redirected without entering your credentials 






Comments

Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

Remote use of Microsoft SysInternals: example Procdump