Configuring kerberos authentication on the Citrix ADC appliance

September 21, 2020

Contributed by:

S C

This topic provides the detailed steps to configure Kerberos authentication on the Citrix ADC appliance by using the CLI and the GUI.

Configuring Kerberos authentication on the CLI

Enable the authentication, authorization, and auditing feature to ensure the authentication of traffic on the appliance.
ns-cli-prompt>enable ns featureAAA
Add the keytab file to the Citrix ADC appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the Citrix ADC appliance.
First generate the keytab file on the Active Directory server and then transfer it to the Citrix ADC appliance.
- 登录到活动目录服务器和添加一个我们er for Kerberos authentication. For example, to add a user named “Kerb-SVC-Account”:
  net user Kerb-SVC-Account freebsd!@#456 /add
  
  Note
  
  In theUser Propertiessection, ensure that the “Change password at next logon option” is not selected and the “Password does not expire” option is selected.
- Map the HTTP service to the above user and export the keytab file. For example, run the following command on the Active Directory server:
  ktpass /out keytabfile /princ HTTP/owa.newacp.com@NEWACP.COM /pass freebsd!@#456 /mapuser newacp\dummy /ptype KRB5_NT_PRINCIPAL
  
  Note
  
  You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file.
- Transfer the keytab file to the Citrix ADC appliance by using the unixftpcommand or any other file transfer utility of your choice.
The Citrix ADC appliance must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). Therefore, Citrix recommends configuring the Citrix ADC with a DNS server.
ns-cli-prompt>add dns nameserver< ip地址>

Note

Alternatively, you can add static host entries or use any other means so that the Citrix ADC appliance can resolve the FQDN name of the domain controller to an IP address.
Configure the authentication action and then associate it to an authentication policy.
- Configure the negotiate action.
  ns-cli-prompt>add authentication negotiateAction -domain -domainUser -domainUserPasswd -keytab
- Configure the negotiate policy and associate the negotiate action to this policy.
  ns-cli-prompt>add authentication negotiatePolicy
Create an authentication virtual server and associate the negotiate policy with it.
- Create an authentication virtual server.
  ns-cli-prompt>add authentication vserver SSL 443 -authenticationDomain
- Bind the negotiate policy to the authentication virtual server.
  ns-cli-prompt>bind authentication vserver -policy
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
ns-cli-prompt>set lb vserver -authn401 ON -authnVsName

Note

Similar configurations can also be done on the content switching virtual server.
Verify the configurations by doing the following:
- Access the traffic management virtual server, using the FQDN. For example,Sample
- View the details of the session on the CLI.
  ns-cli-prompt>show aaa session

Configuring Kerberos authentication on the GUI

Enable the authentication, authorization, and auditing feature.
Navigate toSystem>Settings, clickConfigure Basic Featuresand enable the authentication, authorization, and auditing feature.
Add the keytab file as detailed in step 2 of the CLI procedure mentioned above.
Add a DNS server.
Navigate to交通管理> DNS >名称服务器, and specify the IP address for the DNS server.
Configure theNegotiateaction and policy.
Navigate toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy withNegotiateas the action type. ClickADDto create a new authentication negotiate server or clickEditto configure the existing details.
Bind the negotiate policy to the authentication virtual server.
Navigate toSecurity > AAA - Application Traffic > Virtual Servers, and associate theNegotiatepolicy with the authentication virtual server.
Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.
Navigate toTraffic Management > Load Balancing > Virtual Servers, and specify the relevant authentication settings.

Note

Similar configurations can also be done on the content switching virtual server.
Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configuring kerberos authentication on the Citrix ADC appliance

September 21, 2020

Contributed by:

S C

September 21, 2020

Contributed by:

S C

Configuring kerberos authentication on the Citrix ADC appliance

Configuring Kerberos authentication on the CLI

Configuring Kerberos authentication on the GUI

In this article