Kari Ruissalo Posted January 16, 2018 Posted January 16, 2018 Hi, I have built a SAML IdP according to this blog and I have issues with the internal vServer Kerberos. To be more specific, the issue is with the nFactor LDAP attribute extraction. The customer has modified their userPrincipalNames to match their email addresses. So for instance: Domain FQDN: ads.customer.com Email-suffix: customer.com sAMAccountName: user1 userPrincipalName: first.last@customer.com So when the internal vServer is authenticating the user and extracting the attributes using the nFactor, the process goes (I assume) like this: User has an existing Kerberos ticket and goes to the vServer for authentication, the Kerberos ticket contains the client name Cached Tickets: (1) #0> Client: user1 @ ADS.CUSTOMER.COM Server: krbtgt/ADS.CUSTOMER.COM @ ADS.CUSTOMER.COM The user authenticated and then the extracted user name is passed on to the nFactor (user1@ads.customer.com) nFactor LDAP attribute extraction policy is hit and it queries for user1@ads.customer.com, but can't find it as the users userPrincipalName is first.last@customer.com Authentication fails I figured that one way around this would be to just use PowerShell to add the Kerberos format username in to an attribute in AD, but this would require the customer to add this attribute for each new user in AD. So is there a way to construct this value somehow for nFactor processing and avoid adding that extra attribute?
Vamsi Krishna1709162168 Posted January 16, 2018 Posted January 16, 2018 Hi Kari, Any reason of using the sAMAccount not UPN? Two changes here. 1. Configure LDAP IP as LB VIP and point to the Actual LDAP server 2. create a rewrite policy to change domain name from ads.customer.com to customer.com Thanks, Vamsi
Kari Ruissalo Posted January 16, 2018 Author Posted January 16, 2018 11 hours ago, Vamsi Krishna Kanduri said: Hi Kari, Any reason of using the sAMAccount not UPN? Two changes here. 1. Configure LDAP IP as LB VIP and point to the Actual LDAP server 2. create a rewrite policy to change domain name from ads.customer.com to customer.com Thanks, Vamsi Well I´d prefer using UPN but the Kerberos seems to send a user name that doesn´t match that one (explained in the initial post). I´m already using LB for the LDAP but can´t understand how should i rewrite the request before passing it to the actual LDAP server? Using sAMAccountName would be the best option here as we should only get rid of the @ads.customer.com at the end of the username (assuming that Kerberos extracts the username as ”sAMAccountname@ads.customer.com”)?
Kari Ruissalo Posted April 3, 2018 Author Posted April 3, 2018 Support replied, that this should be possible to achieve using nFactor. They're still investigating on how this can be actually done. For now I just have this link: https://support.citrix.com/pages/netscaler-authentication#nfactor
Ronny Lier Posted January 27, 2019 Posted January 27, 2019 Hi Kari, could you solve the problem? We have the same problem and it would be helpful if you could share your solution. Thanks, Ronny
Kari Ruissalo Posted January 28, 2019 Author Posted January 28, 2019 On 1/27/2019 at 10:42 AM, Ronny Lier said: Hi Kari, could you solve the problem? We have the same problem and it would be helpful if you could share your solution. Thanks, Ronny Hi Ronny, not the prettiest solution, but I reserved one extensionAttribute for this purpose and created a scheduled PowerShell which constructs the extensionattribute for each user "{samaccountname} + {domainFQDN}". Initially I had this script filtering out users with extensionAttribute filled in, but I learned quickly that it needed to also check that it's properly filled (users change their last names etc...) There was no actual solution for this one unfortunately or a way to construct the attribute in NetScaler (12.0 firmware).
Ronny Lier Posted February 1, 2019 Posted February 1, 2019 Hi Kari, thanks for your feedback. I have solved the problem using nFactor. I configured a login schema (no schema) with the User Expression "HTTP.REQ.USER.NAME.BEFORE_REGEX(re#@#)" before the LDAP request. This modified the extracted user name from "{samaccountname} + {domainFQDN}" to "{samaccountname}". I use NetScaler 11.1 but the solution also would work with 12.0.
Kari Ruissalo Posted March 6, 2019 Author Posted March 6, 2019 On 2/1/2019 at 11:11 PM, Ronny Lier said: Hi Kari, thanks for your feedback. I have solved the problem using nFactor. I configured a login schema (no schema) with the User Expression "HTTP.REQ.USER.NAME.BEFORE_REGEX(re#@#)" before the LDAP request. This modified the extracted user name from "{samaccountname} + {domainFQDN}" to "{samaccountname}". I use NetScaler 11.1 but the solution also would work with 12.0. Oh. That's pretty neat, I need to give that a go. Thanks for sharing!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.