Jump to content
Welcome to our new Citrix community!

Netscaler Gateway SSL VPN Authentication Passthrough


Recommended Posts

Hello, I currently have a ticket open with Citrix support regarding the following issue.

 

We have a piece of HR software hosted on a server on our LAN, When a client is connected to the LAN the option for automatic sign in works perfectly, however when on the NetScaler VPN the automatic sign in does not work.

 

We have been told that the NetScaler is not passing the kerberos authentication token and are trying to find out why, I did read on this forum that NetScaler gateway does not support authentication pass through, I am not sure if this falls into that category.

 

I have asked 2 engineers now at Citrix and they are unable to give me a definitive answer.

Does anyone on this forum know?

 

Thanks

Stephen

 

Link to comment
Share on other sites

The Netscaler Gateway does not support pass through authentication to connect to the VPN. However once you have connected to the VPN, subject to the firewall rules you have configured allowing access, you should be able to perform pass through authentication to an internal web application.

 

Of course you only want to allow VPN connections from company assets so best to perform EPA scan and perform fallback to ICA if non company device.

Link to comment
Share on other sites

The Netscaler Gateway does not support pass through authentication to connect to the VPN. However once you have connected to the VPN, subject to the firewall rules you have configured allowing access, you should be able to perform pass through authentication to an internal web application.

 

Of course you only want to allow VPN connections from company assets so best to perform EPA scan and perform fallback to ICA if non company device.

Thanks for the reply. All firewall rules are in the clear for NetScaler Gateway SSL VPN users to access the relevant resources on the LAN. I have just explained the situation to a support engineer who believes that kerberos will not pass through the VPN. I cant see why it wouldn't? Although I am now waiting for an escalations engineer to give me a definitive answer. Any further info that the forum can offer would be great at this minute.

Link to comment
Share on other sites

As an update to this issue we have taken packet captures on the client side and on the netscaler side and no attempt to use Kerberos can be seen in the packet capture. These have been submitted to support for further checks.

Does anyone have a working example of say a web application that uses kerberos that works whilst using NetScaler gateway VPN.

 

The packet captures only appear to use NTLM.

  • Like 1
Link to comment
Share on other sites

  • 2 years later...

i know this is an old post, but i ran into the same issue and didn't find an official documentation about this - but my work colleague knew the solution: connections through the SSL VPN are not getting all required DNS entries and therefore kerberos is not working. i saw exactly the same behavior in my traces - authentication to a web service did fallback to NTLM, which was not an allowed method for that service and therefore didn't work. 

 

to fix that, you can disable DNS truncation as described in this article: https://support.citrix.com/article/CTX200243 

 

To resolve this issue run the following commands from NetScaler shell prompt:

 

root@ns> shell
root@ns# echo "/netscaler/nsapimgr -ys enable_vpn_dns_override=1" >> /nsconfig/rc.netscaler
root@ns# echo "/netscaler/nsapimgr -ys enable_vpn_dnstruncate_fix=1" >> /nsconfig/rc.netscaler

 

If we want those knob to work even without NetScaler reboot, we will have to run following commands   

/netscaler/nsapimgr -ys enable_vpn_dns_override=1
/netscaler/nsapimgr -ys enable_vpn_dnstruncate_fix=1

 

after running those commands over shell, kerberos started to work properly using SSL VPN.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...