Posted January 16, 20187 yr Hi, I have built a SAML IdP according to this blog and I have issues with the internal vServer Kerberos. To be more specific, the issue is with the nFactor LDAP attribute extraction. The customer has modified their userPrincipalNames to match their email addresses. So for instance: Domain FQDN: ads.customer.com Email-suffix: customer.com sAMAccountName: user1 userPrincipalName: [email protected] So when the internal vServer is authenticating the user and extracting the attributes using the nFactor, the process goes (I assume) like this: User has an existing Kerberos ticket and goes to the vServer for authentication, the Kerberos ticket contains the client name Cached Tickets: (1) #0> Client: user1 @ ADS.CUSTOMER.COM Server: krbtgt/ADS.CUSTOMER.COM @ ADS.CUSTOMER.COM The user authenticated and then the extracted user name is passed on to the nFactor ([email protected]) nFactor LDAP attribute extraction policy is hit and it queries for [email protected], but can't find it as the users userPrincipalName is [email protected] Authentication fails I figured that one way around this would be to just use PowerShell to add the Kerberos format username in to an attribute in AD, but this would require the customer to add this attribute for each new user in AD. So is there a way to construct this value somehow for nFactor processing and avoid adding that extra attribute?
January 16, 20187 yr Hi Kari, Any reason of using the sAMAccount not UPN? Two changes here. 1. Configure LDAP IP as LB VIP and point to the Actual LDAP server 2. create a rewrite policy to change domain name from ads.customer.com to customer.com Thanks, Vamsi
January 16, 20187 yr Author 11 hours ago, Vamsi Krishna Kanduri said: Hi Kari, Any reason of using the sAMAccount not UPN? Two changes here. 1. Configure LDAP IP as LB VIP and point to the Actual LDAP server 2. create a rewrite policy to change domain name from ads.customer.com to customer.com Thanks, Vamsi Well I´d prefer using UPN but the Kerberos seems to send a user name that doesn´t match that one (explained in the initial post). I´m already using LB for the LDAP but can´t understand how should i rewrite the request before passing it to the actual LDAP server? Using sAMAccountName would be the best option here as we should only get rid of the @ads.customer.com at the end of the username (assuming that Kerberos extracts the username as ”[email protected]”)?
April 3, 20187 yr Author Support replied, that this should be possible to achieve using nFactor. They're still investigating on how this can be actually done. For now I just have this link: https://support.citrix.com/pages/netscaler-authentication#nfactor
January 27, 20196 yr Hi Kari, could you solve the problem? We have the same problem and it would be helpful if you could share your solution. Thanks, Ronny
January 28, 20196 yr Author On 1/27/2019 at 10:42 AM, Ronny Lier said: Hi Kari, could you solve the problem? We have the same problem and it would be helpful if you could share your solution. Thanks, Ronny Hi Ronny, not the prettiest solution, but I reserved one extensionAttribute for this purpose and created a scheduled PowerShell which constructs the extensionattribute for each user "{samaccountname} + {domainFQDN}". Initially I had this script filtering out users with extensionAttribute filled in, but I learned quickly that it needed to also check that it's properly filled (users change their last names etc...) There was no actual solution for this one unfortunately or a way to construct the attribute in NetScaler (12.0 firmware).
February 1, 20196 yr Hi Kari, thanks for your feedback. I have solved the problem using nFactor. I configured a login schema (no schema) with the User Expression "HTTP.REQ.USER.NAME.BEFORE_REGEX(re#@#)" before the LDAP request. This modified the extracted user name from "{samaccountname} + {domainFQDN}" to "{samaccountname}". I use NetScaler 11.1 but the solution also would work with 12.0.
March 6, 20196 yr Author On 2/1/2019 at 11:11 PM, Ronny Lier said: Hi Kari, thanks for your feedback. I have solved the problem using nFactor. I configured a login schema (no schema) with the User Expression "HTTP.REQ.USER.NAME.BEFORE_REGEX(re#@#)" before the LDAP request. This modified the extracted user name from "{samaccountname} + {domainFQDN}" to "{samaccountname}". I use NetScaler 11.1 but the solution also would work with 12.0. Oh. That's pretty neat, I need to give that a go. Thanks for sharing!
Archived
This topic is now archived and is closed to further replies.