Jump to content
Welcome to our new Citrix community!

CItrix AAA virtual server for OWA and Okta SAML

Recommended Posts

we use AAA virtual server for OWA and we trying to SAML authentication with OKTA. Has anyone done this successfully and please share information?


What if we host OWA and another web server using same AAA. How would that be configured on Netscaler and Okta side?


Any special Authentication changes needed to be done on Exchange side for SAML to work?


Any help appreciated

Link to comment
Share on other sites

  • 2 weeks later...

Netscaler configuration with Okta is well documented on https://support.okta.com/help/s/article/Citrix-NetScaler-Gateway-SAML-Configuration-Guide


You'll have to make a transition between SAML and Kerberos on Netscaler AAA vServer using a session policy with a KCD account. KCD account needs to be configured with a keytab provided by your AD infrastructure matching with an AD service account authorized for Kerberos impersonation to Exchange (S4U2SELF + S4U2PROXY).


Netscaler will be authorized to request a kerberos TGT and then a kerberos TGS on behalf of the user to access Exchange services. Session policy will intercept 401 HTTP responses from Exchange web servers and do the kerberos job.

Link to comment
Share on other sites

The documentation will only get you only from Okta to netscaler gateway using SAML token. But OWA prompting me for a username and password.  you are getting prompted by OWA for a username and password and the SAML token doesn’t have a password and thus netscaler doesn’t have one to play to OWA


I am playing with Trafic, session and responder policy but none seems working. I may have to try KCD route. 

Link to comment
Share on other sites

The prompt means that OWA is not able to use authentication provided by Netscaler.


The solution is to use kerberos authentication on Exchange and to configure a service account allowed to impersonate AD users accessing Exchange. The session policy linked with the KCD account will do the job : do not use trafic or responder policies for that.

Link to comment
Share on other sites

once i get it working, i will make a document with steps. 


caveat for me is we use Alternate service account for Exchange 2016 owa url, a computer account. for Airwatch. This KCD account is a computer object and doesnt have a password. When i create KCD account, i need to have a password and not sure Netscaler would need a user object for KCD. 


Any log i can check KCD logs in netscaler?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...