Jump to content
Welcome to our new Citrix community!

Netscaler AAA - Disable NTLM failback for Negotiate authentication and replace it with LDAP


Recommended Posts

I'm currently working on a Netscaler 12.0 deployment in front of linux web servers with authentication offloaded to Netscaler.

 

Negotiate (kerberos) SSO authentication is configured for domain users logged on domain workstation. However, domain users can also access the application from external location or non-domain joined workstations. In this case, and for security reasons, users are not able to get kerberos ticket from active directory domain controllers. User is prompted for NTLM authentication, which fails because no NTLM path is configured on Netscaler. The same issue is experienced by domain users with badly configured web browser (krb5 trusted domain not configured)

 

Prefered failback authentication method would be LDAP instead of NTLM.

Compared with IIS, linux web servers do not have NTLM path for NTLM failback.

 

LDAP authentication policy is configured with priority 110 and bound to the AAA vserver. However, whan kerberos authentication fails, user is prompted with the NTLM popup in front of the Netscaler AAA web page which contains the LDAP authentication form.

 

Is the a way to disable NTLM failback for Negotiate authentication ?

 

How can I configure kerberos SSO with LDAP failback in Netscaler ?

 

 

 

 

Link to comment
Share on other sites

There is no configuration option to disable NTLM fallback. the 401 that gets sent to the client will have [WWW-Authenticate:Negotiate, NTLM] this is as per design, so non-domain joined or external systems that cant reach AD can fall back to NTLM. 

 

If you do not want the NTLM fall-back for non-domain / external clients, you may probably consider an IP Based policy on top (to check if client is coming from a public ip)  with an LDAP Action so the Negotiate policy never hits for those clients.

 

Or if its acceptable to enter the credentials in the pop-up that appears as a result of NTLM fall back, you can set the NTLM Path to any Domain Joined IIS server (it does not have to be the linux web-servers). The NTLM path has no bearing on what actual back-end resource you are accessing. (https://support.citrix.com/article/CTX215684)

 

Note - The above options take care of client auth, and if its either NTLM or Kerberos on client auth then your back-end SSO option is limited to KCD only.

Link to comment
Share on other sites

Thanks for the quick answer.

 

This is unfortunately the behavior I noticed on netscaler.It would be great to add the capability to disable NTLM failback in a future Netscaler release, mainly for security reasons (https://blog.preempt.com/the-security-risks-of-ntlm-proceed-with-caution)

 

Any option to rewrite the [WWW-Authenticate:Negotiate, NTLM] using a Rewrite Policy on a CS vServer in front of the LB or the AAA vServer ?

Link to comment
Share on other sites

Such an option or even a rewrite to drop the WWW-Authenticate: NTLM doesn't achieve your requirement, (a rewrite on NS AAA generated 401 wont work anyway), because Chrome and IE tend to fallback to NTLM *even if* the auth header indicates only Negotiate, only Mozilla does not.

 

See below, although WWW-Auth header is set to Negotiate, which this client cannot, you still see the pop-up

 

Chrome

image.thumb.png.bf4f688476e2b575ba681270c58807fe.png

 

IE

image.thumb.png.34193a73d5539143862f68924bfe3d1e.png

 

 

  • Like 1
Link to comment
Share on other sites

Hello,

 

you can but you have to use another netscaler instance in front of your AAA.

(it's because the AAA arrive before the CS/LB process)

 

so on the front instance, you have just to create a lb server, lb service and lb vserver (and content switching if you use it)

 

after on the lb vserver you have just to add two response rewrite

 

the first to remove the header WWW-Authenticate

the second to add the hearder with only negotiate value

 

here is the configuration I use

 

add rewrite action rw_act_dev-sso-rem-www-authenticate delete_http_header WWW-Authenticate
add rewrite action rw_act_dev-sso-add-www-authenticate-negotiate insert_http_header WWW-Authenticate "\"Negotiate\""

add rewrite policy rw_pol_dev-sso-rem-www-authenticate "HTTP.RES.HEADER(\"WWW-Authenticate\").EXISTS" rw_act_dev-sso-rem-www-authenticate
add rewrite policy rw_pol_dev-sso-add-www-authenticate-negotiate "HTTP.RES.STATUS.EQ(401)" rw_act_dev-sso-add-www-authenticate-negotiate


bind lb vserver lb_vsrv_myaaa -policyName rw_pol_dev-sso-rem-www-authenticate -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind lb vserver lb_vsrv_myaaa -policyName rw_pol_dev-sso-add-www-authenticate-negotiate -priority 110 -gotoPriorityExpression END -type RESPONSE

 

Bye

Link to comment
Share on other sites

  • 1 month later...
On 20.3.2019 at 9:12 PM, Mathieu BRUSTON1709159739 said:

Hello,

 

you can but you have to use another netscaler instance in front of your AAA.

(it's because the AAA arrive before the CS/LB process)

 

so on the front instance, you have just to create a lb server, lb service and lb vserver (and content switching if you use it)

 

after on the lb vserver you have just to add two response rewrite

 

the first to remove the header WWW-Authenticate

the second to add the hearder with only negotiate value

 

here is the configuration I use

 

add rewrite action rw_act_dev-sso-rem-www-authenticate delete_http_header WWW-Authenticate
add rewrite action rw_act_dev-sso-add-www-authenticate-negotiate insert_http_header WWW-Authenticate "\"Negotiate\""

add rewrite policy rw_pol_dev-sso-rem-www-authenticate "HTTP.RES.HEADER(\"WWW-Authenticate\").EXISTS" rw_act_dev-sso-rem-www-authenticate
add rewrite policy rw_pol_dev-sso-add-www-authenticate-negotiate "HTTP.RES.STATUS.EQ(401)" rw_act_dev-sso-add-www-authenticate-negotiate


bind lb vserver lb_vsrv_myaaa -policyName rw_pol_dev-sso-rem-www-authenticate -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind lb vserver lb_vsrv_myaaa -policyName rw_pol_dev-sso-add-www-authenticate-negotiate -priority 110 -gotoPriorityExpression END -type RESPONSE

 

Bye

 

Hello Mathieu,

 

thanks for your config details - but is it really necessary to use another AAA on another ADC Instance or could I create a dummy LB vServer, bind no Service, so its DOWN, bind the RW Policies and as a protection feature, I set my prod Webserver as "Backup virtual Server" so in theory the traffic will flow as follow:

 

Client -> Content Switch -> Dummly LB vServer, Delete Nego Header hits -> Prod Web-LB vServer which is bound to my AAA

 

In your configuration example I don't understand how you are doing the redirection to your actual prod Webserver to which the request should go to via Negotiate.

 

Thanks for your answer

Best Regards

Julian

 

Link to comment
Share on other sites

Hello Julian

 

It's the first config I try to made. But in fact when the AAA and the LB are in the same instance, the rewrite feature made on the LB are replace by the AAA.

I do it with Citrix Consulting.

 

that's why I made a dedicated Citrix LB in front of the Citrix AAA.

 

I think the other way is to use the Citrix Partition inside the instance. The AAA will be only on the default , you can create a partiton an make the LB config. I don't use this solution because we have already a Citrix ADC front for North/South Traffic and not ready (network) to implement the Partition feature.

 

be carefull with a LB in front of an AAA. Citrix LB have multiplexing protocol feature to allow a TCP connection open between the Citrix ADC and the AAA. The issue I had, it's in some case the session of user are sharing and a user have the information about the other user.

 

to remediate I have set on the LB service the parameter maxreq=1 (https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-advanced-settings/set-limit-on-max-request.html)

With this parameter you have to follow the port available for your SNIP/MIP (~1000000       nsapimgr -d freeports) and the remain port for you service (~64000      stat service lb_service)

 

Regards,

 

Link to comment
Share on other sites

  • 5 months later...
On 3/15/2019 at 4:39 AM, Siddhartha Sarmah said:

Such an option or even a rewrite to drop the WWW-Authenticate: NTLM doesn't achieve your requirement, (a rewrite on NS AAA generated 401 wont work anyway), because Chrome and IE tend to fallback to NTLM *even if* the auth header indicates only Negotiate, only Mozilla does not. 

 

See below, although WWW-Auth header is set to Negotiate, which this client cannot, you still see the pop-up

 

Chrome

image.thumb.png.bf4f688476e2b575ba681270c58807fe.png

 

IE

image.thumb.png.34193a73d5539143862f68924bfe3d1e.png

 

 

Hi,

it seems that the behavior is changed in the current Chrome version (Version 78.0.3904.70). Chrome now does not fallback to NTLM if only Negotiate is in the WWW-Authenticate header specified. The behavior is now the same as with Mozilla Firefox. The Edge Browser based on the Chromium Engine works too. Only IE11 and the old Edge still pop-up a 401 windows if Kerberos (Negotiation)-Auth fails.


I removed the WWW-Authenticate NTLM header with a second NetScaler and a rewrite policy so that only WWW-Authenticate Negotiation exist. But that’s not the perfect solution. Is it possible to disable the NTLM failback on the AAA-vServer? Because the rewrite policy an the same NetScaler as the AAA-vServer resist, didn’t work.

Regards,
Markus

Link to comment
Share on other sites

yes, I tried a lot to rewrite the www-auth header on the same ADC, it’s not possible, it only worked with another ADC. If I only leave the NTLM Path blank, then the www-Auth „NTLM” nevertheless exists and if the www-auth NTLM is in the header then the Browsers prompt for the 401-Window (Chrome, Firefox, Edge, IE ). Only if I remove (rewrite) the WWW-Auth header so that only Negotiation is in the WWW-Auth header then only IE prompt for credentials if nego fails. Chrome, Chromium-Edge and Mozilla Firefox doesn’t. So it would a nice feature to disable the NTLM auth offer an the AAA-vServer, then we don’t need the rewrite an the second ADC.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...