I'm currently evaluating Citrix NetScaler VPX (NS10.5 56.12.nc) as a potential replacement for Microsoft TMG server.
Kerberos Constrained Delegation is at the top of my list of mandatory features.
Example:
A web application is published via TMG. Members of a certain Active Directory group are not allowed access to this site.
TMG has to request credentials from the client, check group membership and then pass those credentials to the web server hosting the application.
Unfortunately moving the membership check to the web server and allowing the client to authenticate directly is not an option.
I have tried several tutorials (e.g. http://support.citrix.com/article/CTX139133) to do this with NetScaler, but to no avail.
The authentication request the browser gets does come from the NetScaler, but all it returns is this:
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><script type="text/javascript" src="/vpn/resources.js">
</script><script type="text/javascript" language="javascript">var Resources = new ResourceManager("/vpn/resources/{lang}", "VPN_ERRORS");</script>
</HEAD><BODY><CENTER><span id="You are not allowed to login."></span> <span id="Please contact your administrator."></span>
</CENTER><script type="text/javascript" language="javascript">Resources.Load();</script></BODY></HTML>
This looks "broken" to me. Whitespaces being used in tag IDs. Placeholder "{lang}" not being replaced with an actual value.
I've gone through the document's troubleshooting section (5.4). Every command returns as expected.
Only the last one gives me an error:
nskrb kgetcred --delegation-credential-cache=/tmp/imper_cache --out-cache=/tmp/kcd_cache http/myserver.domain.com
Returns:
kgetcred: krb5_parse_name http/myserver.domain.com: unable to find
realm of host ns-t1
"ns-t1" is the hostname of the NetScaler server.
I really hope someone can help me with this.
Thanks in advance.
Regards,
Kevin
Best Answer
I ran into the same issue. The realm needed to be appened to the SPN. Your example has the following:
"nskrb kgetcred --delegation-credential-cache=/tmp/imper_cache --out-cache=/tmp/kcd_cache http/myserver.domain.com"
So long as "DOMAIN.COM" is your realm, try the following:
"nskrb kgetcred --delegation-credential-cache=/tmp/imper_cache --out-cache=/tmp/kcd_cache http/myserver.domain.com@DOMAIN.COM"
I think case matters for the realm, but I could be wrong. I hope this helps.
Brooks