Jump to content
Welcome to our new Citrix community!

Kerberos Cross Realm Authentication not working for Subdomain


Recommended Posts

Hi there,

 

we have a problem getting Kerberos Cross Realm Authentication to work.

 

Root: DOMAIN.COM

Sub: SUBDOMAIN.DOMAIN.COM

KCD Account is on Root Domain

Backend Application is also in Root Domain

 

User1 (attached Log) is in Root Domain and everything is working fine.

User2 is in Sub Domain and we get the error

 

Thu Feb 21 10:23:39 2019
 nskrb.c[442]: ns_process_kcd_req enterprise realm is DOMAIN.COM

Thu Feb 21 10:23:39 2019
 nskrb.c[498]: ns_process_kcd_req using enterprise username user2@SUBDOMAIN.DOMAIN.COM@DOMAIN.COM
Thu Feb 21 10:23:39 2019
 nskrb.c[503]: ns_process_kcd_req MD5 user2SUBDOMAIN.DOMAIN.COMs_netscalerDOMAIN.COM for s4u cache filename

Thu Feb 21 10:23:39 2019
 nskrb.c[515]: ns_process_kcd_req MD5 user2SUBDOMAIN.DOMAIN.COMbackendserver.DOMAIN.COMDOMAIN.COM for tgs cache filename

Thu Feb 21 10:23:39 2019
 nskrb.c[529]: ns_process_kcd_req MD5 s_netscalerDOMAIN.COMSUBDOMAIN.DOMAIN.COM for tgt cache filename

Thu Feb 21 10:23:39 2019
 nskrb.c[535]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_f8a1865649b64f34b9df013fb2be3303
Thu Feb 21 10:23:39 2019
 nskrb.c[536]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_a3b840f57ac47b66006701afdb458f30
Thu Feb 21 10:23:39 2019
 nskrb.c[537]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_28f2f6640f6384138eb1abf67cb90730
Thu Feb 21 10:23:39 2019
 nskrb.c[539]: ns_process_kcd_req Attempting TGT with s_netscaler@DOMAIN.COM, outcache /var/krb/tgt_0_f8a1865649b64f34b9df013fb2be3303
Thu Feb 21 10:23:39 2019
 nskrb.c[1306]: ns_kinit got TGT in cache, kinit returning

Thu Feb 21 10:23:39 2019
 nskrb.c[551]: ns_process_kcd_req delegated usernames for cross realm - w-domain: s_netscaler.DOMAIN.COM, wo-domain s_netscaler
Thu Feb 21 10:23:39 2019
 nskrb.c[557]: ns_process_kcd_req tgt cachename for cross realm between DOMAIN.COM and SUBDOMAIN.DOMAIN.COM is
Thu Feb 21 10:23:39 2019
 nskrb.c[566]: ns_process_kcd_req Attempting cross realm TGT for krbtgt/SUBDOMAIN.DOMAIN.COM@DOMAIN.COM to store in /var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03
Thu Feb 21 10:23:39 2019
 nskrb.c[567]: ns_process_kcd_req Cross realm TGT command is: nskrb kgetcred -c /var/krb/tgt_0_f8a1865649b64f34b9df013fb2be3303 --out-cache=/var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03 krbtgt/SUBDOMAIN.DOMAIN.COM@DOMAIN.COM
Thu Feb 21 10:23:39 2019
 nskrb.c[1690]: ns_kgetcred kgetcred cache file /var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03  contains ticket for krbtgt/SUBDOMAIN.DOMAIN.COM@DOMAIN.COM

Thu Feb 21 10:23:39 2019
 nskrb.c[583]: ns_process_kcd_req Attempting cross realm intermediary TGS for host/s_netscaler.DOMAIN.COM@SUBDOMAIN.DOMAIN.COM, input cache /var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03, outcache is /var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03_SUBDOMAIN.DOMAIN.COM
Thu Feb 21 10:23:39 2019
 nskrb.c[585]: ns_process_kcd_req Cross realm intermediary TGS command is: nskrb kgetcred -c /var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03 --out-cache=/var/krb/tgt_x_0_ab5b24f8a1c7030f792e5121cba62c03_SUBDOMAIN.DOMAIN.COM --impersonate=user2@SUBDOMAIN.DOMAIN.COM@DOMAIN.COM host/s_netscaler.DOMAIN.COM@SUBDOMAIN.DOMAIN.COM
Thu Feb 21 10:23:39 2019
 nskrb.c[1663]: ns_kgetcred krb5_parse_name for user2@SUBDOMAIN.DOMAIN.COM@DOMAIN.COM returned -1765328250

Thu Feb 21 10:23:39 2019
 nskrb.c[588]: ns_process_kcd_req Error obtaining cross realm s4u2self ticket for user2@SUBDOMAIN.DOMAIN.COM@DOMAIN.COM

Auth Config:

 

add aaa kcdAccount KCDA_s_netscaler -realmStr DOMAIN.COM -delegatedUser s_netscaler -kcdPassword x -encrypted -encryptmethod ENCMTHD_3 -enterpriseRealm HERRENKNECHT.COM
add tm sessionAction SP_HK-Default -SSO ON -ssoCredential PRIMARY -ssoDomain domain.com -kcdAccount KCDA_s_netscaler

 

I already checked https://support.citrix.com/article/CTX209151 but can't get it to work.

 

Any Advice what to check next?

 

Regards,

Andreas

user1-san.txt

user2-san.txt

Link to comment
Share on other sites

  • 1 year later...
  • 8 months later...

Had issues with exactly the same scenario and finally got it resolved by adding a specific SPN to the delegation service account:

 

host/sAMAccountName_of_service_account.domain.com

 

In standard Microsoft scenarios, there is no need for a service account, because delegation is done by computer accounts. Computer accounts have this SPN by default. Working with non-domain joined NetScaler, we have to add this SPN manually to the service account.

 

Only applies to cross realm scenarios! In one realm scenarios the service account just needs any SPN like http/enablekerberosdelegation.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...