Jump to content
Welcome to our new Citrix community!

Netscaler modern Authentication and Exchange OWA


Recommended Posts

I am working on a project, where we are trying to setting up Modern Authentication in Citrix, and connect to an on premise Exchange server.

 

I this working:
Netscaler is setup with Auth, pointing to Modern Authentication

User can connect to Modern Authentication, and are forwarded back to Netscaler, and the Netscaler is forwarding the request to OWA.

OWA, is setup so it will allowed Kerberos login.

 

But when the user is forwarded to OWA website, it's just white.

 

The domain is called example.local, but the user have set it UPN to itrtest2@example.dk, in the Active Directory

 

 

Anyone have a good idea about what the problem could be?

 

 

There are no issues found on the Exchange server,

 

In /var/log/ns.log i see this:

Aug 31 08:44:27 <local0.err> 192.168.96.8 08/31/2019:08:44:27 GMT  0-PPE-0 : default SSLVPN Message 218190365 0 :  "Keberos resumeNotification; entry: 55 itrtest2@example.LOCAL@DALEXCH03.example.local@example.LOCAL not found, pcb_fip = 192.168.96.221, pcb_fport = 443"

 

in /tmp/nskrb.debug, i see this:
 

Sat Aug 31 08:44:27 2019
 nskrb.c[2089]: nskrb_accept PARENT: 1 children spawned
Sat Aug 31 08:44:27 2019
 nskrb.c[2082]: nskrb_accept CHILD: started, processing AAA request
Sat Aug 31 08:44:27 2019
 nskrb.c[395]: ns_process_kcd_req username is itrtest2

Sat Aug 31 08:44:27 2019
 nskrb.c[399]: ns_process_kcd_req user_realm is example.local, user_realmlen is 12

Sat Aug 31 08:44:27 2019
 nskrb.c[405]: ns_process_kcd_req svc is DALEXCH03.example.local

Sat Aug 31 08:44:27 2019
 nskrb.c[408]: ns_process_kcd_req gethostbyname succeeded, cname lookup resulted in hostname DALEXCH03.example.local

Sat Aug 31 08:44:27 2019
 nskrb.c[417]: ns_process_kcd_req realm is example.local, realmlen is 12

Sat Aug 31 08:44:27 2019
 nskrb.c[423]: ns_process_kcd_req delegated_user len is 7 value is admita

Sat Aug 31 08:44:27 2019
 nskrb.c[429]: ns_process_kcd_req password provided, len 89

Sat Aug 31 08:44:27 2019
 nskrb.c[450]: ns_process_kcd_req servicespn configured is 22 HTTP/outlook.example.dk, offset is 209

Sat Aug 31 08:44:27 2019
 nskrb.c[498]: ns_process_kcd_req user non-enterprise username itrtest2@example.local
Sat Aug 31 08:44:27 2019
 nskrb.c[506]: ns_process_kcd_req MD5 itrtest2example.localadmitaexample.local for s4u cache filename

Sat Aug 31 08:44:27 2019
 nskrb.c[518]: ns_process_kcd_req MD5 itrtest2example.localDALEXCH03.example.localexample.local for tgs cache filename

Sat Aug 31 08:44:27 2019
 nskrb.c[532]: ns_process_kcd_req MD5 admitaexample.local for tgt cache filename

Sat Aug 31 08:44:27 2019
 nskrb.c[538]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_479a0d8c0e2b0f5f6bc2c527b979a98a
Sat Aug 31 08:44:27 2019
 nskrb.c[539]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_cf78ce91ebc84cd5aaa9aae7d91fbafa
Sat Aug 31 08:44:27 2019
 nskrb.c[540]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_1badec12b0a1ea1b49426d5fa8c50444
Sat Aug 31 08:44:27 2019
 nskrb.c[542]: ns_process_kcd_req Attempting TGT with admita@example.local, outcache /var/krb/tgt_0_479a0d8c0e2b0f5f6bc2c527b979a98a
Sat Aug 31 08:44:27 2019
 nskrb.c[1309]: ns_kinit got TGT in cache, kinit returning

Sat Aug 31 08:44:27 2019
 nskrb.c[638]: ns_process_kcd_req Attempting S4U2Self with admita@example.local, for itrtest2@example.local
Sat Aug 31 08:44:27 2019
 nskrb.c[1693]: ns_kgetcred kgetcred cache file /var/krb/s4u_0_cf78ce91ebc84cd5aaa9aae7d91fbafa  contains ticket for admita@example.local

Sat Aug 31 08:44:27 2019
 nskrb.c[656]: ns_process_kcd_req using configured servicespn HTTP/outlook.example.dk
Sat Aug 31 08:44:27 2019
 nskrb.c[661]: ns_process_kcd_req service name for s4u2proxy is HTTP/outlook.example.dk

Sat Aug 31 08:44:27 2019
 nskrb.c[1733]: ns_kgetcred cache file /var/krb/tgs_0_1badec12b0a1ea1b49426d5fa8c50444 does not exist

Sat Aug 31 08:44:27 2019
 nskrb.c[1793]: ns_kgetcred krb5_parse_name for HTTP/outlook.example.dk returned -1765328167

Sat Aug 31 08:44:27 2019
 nskrb.c[663]: ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328167
 

Link to comment
Share on other sites

Hi,

 

your error in nskrb.debug is because of one of the following two missing settings:

 

- Did you set a SPN for your NetScaler Kerberos User? (setspn -A host/Serviceuser Domain\Serviceuser)

- Did you set a Delegation for your NetScaler Kerberos User to http outlook.example.dk (or the FQDN of your Exchange on prem?)

 

Regards

Julian

Link to comment
Share on other sites

Thanks for you reply this is the output from "setspn -l example/netscaler"

 

C:\Users\admin_kda>setspn -l example\netscaler
Registered ServicePrincipalNames for CN=netscaler,OU=Service,OU=FIBUsers,DC=example,DC=local:
        HTTP/outlook.example.dk
        HTTP/dalexch03
        http/netscaler
        HOST/outlook.example.dk

 

And below are the settings for the delegation rights on the Kerberos user

kerberos.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...