Jump to content
Welcome to our new Citrix community!

NetScaler KCD with "double hop"


Jens Ostkamp

Recommended Posts

Hello together,

 

i am currently trying to get a KCD authentication to work with the following setup (test lab):

 

WORKING SCENARION:

 

ADC VPX Enterprise with a Loadbalancing vServer where a AAA-Forms Authentication is configured. On the AAA vServer there is a RADIUS Policy configured and a Session Profile with a KCD-Account bound.

The goal is relatively simple -> i want a User to authenticate via Radius (SMS Passcode, Challenge Response) and after get a Kerberos Ticket to authenticate to a basic IIS Webserver (only Windows Authentication enabled). I have followed this guide for setting up Kerberos (i know it is for a NetScaler 10.1 but i don't think the technical basics should be the same for a 12.1 regarding how kerberos works): https://support.citrix.com/article/CTX236593 (only difference: i used a keytab file)

This works just fine.

 

Now the more "advanced" configuration i'm trying to achieve:

I want to connect to a CSW vServer on my ADC VPX A where i am pointing to a load balancing virtual server on the same appliance. The service bound to this LB vServer points to a ADC VPX B where the actual Webserver is bound to. This is where my configuration stopped working, when I'm trying to debug the authentication process i am getting the following error:

 

 

root@TestScale05-12# cat /tmp/nskrb.debug
Tue Sep  3 10:15:37 2019
 nskrb.c[2082]: nskrb_accept CHILD: started, processing AAA request
Tue Sep  3 10:15:37 2019
 nskrb.c[395]: ns_process_kcd_req username is user.name

Tue Sep  3 10:15:37 2019
 nskrb.c[399]: ns_process_kcd_req user_realm is internal.domain.suffix, user_realmlen is 21

Tue Sep  3 10:15:37 2019
 nskrb.c[405]: ns_process_kcd_req svc is websrv-remotens

Tue Sep  3 10:15:37 2019
 nskrb.c[2089]: nskrb_accept PARENT: 1 children spawned
Tue Sep  3 10:15:37 2019
 nskrb.c[412]: ns_process_kcd_req gethostbyname failed

Tue Sep  3 10:15:37 2019
 nskrb.c[417]: ns_process_kcd_req realm is internal.domain.suffix, realmlen is 21

Tue Sep  3 10:15:37 2019
 nskrb.c[423]: ns_process_kcd_req delegated_user len is 39 value is host/fqdn-lbvserver.domain.de

Tue Sep  3 10:15:37 2019
 nskrb.c[429]: ns_process_kcd_req password provided, len 25

Tue Sep  3 10:15:37 2019
 nskrb.c[498]: ns_process_kcd_req user non-enterprise username user.name@internal.domain.suffix
Tue Sep  3 10:15:37 2019
 nskrb.c[506]: ns_process_kcd_req MD5 user.nameINTERNAL.DOMAIN.SUFFIXfqdn-lbvserver.domain.deINTERNAL.DOMAIN.SUFFIX for s4u cache filename

Tue Sep  3 10:15:37 2019
 nskrb.c[518]: ns_process_kcd_req MD5 user.nameINTERNAL.DOMAIN.SUFFIXwebsrv-remotensINTERNAL.DOMAIN.SUFFIX for tgs cache filename

Tue Sep  3 10:15:37 2019
 nskrb.c[532]: ns_process_kcd_req MD5 fqdn-lbvserver.domain.deINTERNAL.DOMAIN.SUFFIX for tgt cache filename

Tue Sep  3 10:15:37 2019
 nskrb.c[538]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_b277cdec37f1740adaf02369977ab493
Tue Sep  3 10:15:37 2019
 nskrb.c[539]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96
Tue Sep  3 10:15:37 2019
 nskrb.c[540]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6
Tue Sep  3 10:15:37 2019
 nskrb.c[542]: ns_process_kcd_req Attempting TGT with host/fqdn-lbvserver.domain.de@INTERNAL.DOMAIN.SUFFIX, outcache /var/krb/tgt_0_b277cdec37f1740adaf02369977ab493
Tue Sep  3 10:15:37 2019
 nskrb.c[1321]: ns_kinit cache check failed

Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 1
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1176]: process_pa_data_to_md KDC send 0 patypes
Tue Sep  3 10:15:37 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep  3 10:15:37 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 2
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1784]: krb5_init_creds_step krb5_get_init_creds: processing input
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1787]: krb5_init_creds_step krb5_get_init_creds: decode AS_REP returned 1859794433, not necessarily an error
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1852]: krb5_init_creds_step krb5_get_init_creds: KRB-ERROR -1765328359, not necessarily fatal
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1176]: process_pa_data_to_md KDC send 5 patypes
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 11
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 19
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 2
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 16
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1179]: process_pa_data_to_md KDC send PA-DATA type: 15
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1019]: add_enc_ts_padata krb5_get_init_creds: using ENC-TS with enctype 23
Tue Sep  3 10:15:37 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep  3 10:15:37 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.DOMAIN.SUFFIX in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNALDOMAIN.SUFFIX' using protocol 1
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1775]: krb5_init_creds_step krb5_get_init_creds: loop 3
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1784]: krb5_init_creds_step krb5_get_init_creds: processing input
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1787]: krb5_init_creds_step krb5_get_init_creds: decode AS_REP returned 0, not necessarily an error
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1807]: krb5_init_creds_step krb5_get_init_creds: extracting ticket
Tue Sep  3 10:15:37 2019
 init_creds_pw.c[1824]: krb5_init_creds_step krb5_get_init_creds: extract ticket returned 0
Tue Sep  3 10:15:37 2019
 nskrb.c[1460]: get_new_tickets krb5_get_init_creds_keyblock returned 0

Tue Sep  3 10:15:37 2019
 nskrb.c[638]: ns_process_kcd_req Attempting S4U2Self with host/fqdn-lbvserver.INTERNAL.DOMAIN.SUFFIX, for user.name@INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 nskrb.c[1733]: ns_kgetcred cache file /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96 does not exist

Tue Sep  3 10:15:37 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep  3 10:15:37 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.DOMAIN.SUFFIX in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep  3 10:15:37 2019
 nskrb.c[1800]: ns_kgetcred krb5_get_creds returned 0, svcname host/fqdn-lbvserver.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX, impersonate str user.name@INTERNAL.DOMAIN.SUFFIX, deleg NULL outcache /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96

Tue Sep  3 10:15:37 2019
 nskrb.c[1873]: ns_kgetcred successfully wrote credentials to cache file /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96

Tue Sep  3 10:15:37 2019
 nskrb.c[661]: ns_process_kcd_req service name for s4u2proxy is HTTP/websrv-remotens.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX

Tue Sep  3 10:15:37 2019
 nskrb.c[1733]: ns_kgetcred cache file /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6 does not exist

Tue Sep  3 10:15:37 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep  3 10:15:37 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc01.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep  3 10:15:37 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep  3 10:15:37 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm INTERNAL.DOMAIN.SUFFIX tcp.kerberos -> 0
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host dc02.internal.domain.suffix in realm INTERNAL.DOMAIN.SUFFIX
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'INTERNAL.DOMAIN.SUFFIX' using protocol 1
Tue Sep  3 10:15:37 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm INTERNAL.DOMAIN.SUFFIX = 0
Tue Sep  3 10:15:37 2019
 nskrb.c[1800]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/websrv-remotens.internal.domain.suffix@INTERNAL.DOMAIN.SUFFIX, impersonate str NULL, deleg /var/krb/s4u_0_0ce5d5f71926a5aa7e84a8689fcecd96 outcache /var/krb/tgs_0_412bdef246c3ceb6d263da04f12132e6

Tue Sep  3 10:15:37 2019
 nskrb.c[1805]: ns_kgetcred krb5_get_creds returned -1765328371

Tue Sep  3 10:15:37 2019
 nskrb.c[663]: ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328371
 

 

 

My delegation tab of my kcd user in AD looks like this (attached), and the SPNs are set like this (attached):

 

I hope my understanding regarding kerberos isn't that completely wrong, that i missed some crucial steps here by pointing my LBvServer to a second VPX instance where the actual backend is loadbalanced. 

Any help is appreciated and thanks in advance!

 

kind regards

 

kcd.PNG

kcd2.PNG

Link to comment
Share on other sites

Hi,

 

as the only difference is the LB vServer between your VPX A and VPX B, your error ID in your nskrb.debug 1765328371 points to sth like:

 

https://support.citrix.com/article/CTX202303

 

"Choosing a Service Server name

The Server name for the service that is configured on the NetScaler is passed as it is entered. In the following example, the actual FQDN is used. If load balancing or content switching is not used, then name should pass as it is sent from the client."

 

Did you add your Backend Servers to your LB  vServer via FQDN or IP?

 

Regards

 

 

Link to comment
Share on other sites

Hey, 

thanks for the quick response.

 

I have added all services via FQDN and my appliances are resolving them correctly.

I am not sure if I have to configure KCD on my VPX B Appliance as well? From my understanding, my VPX A will just do KCD against the LB vService/server on VPX B but VPX B won't do any KCD as it is just meant as a LB appliance without offloading or anything. 

I will do some more testing today and try to do the KCD configuration on my VPX B appliance as well. (background of this whole scenario btw. is, that I have a client who uses NetScaler as reverse proxy for publishing a CenShare app, but the CenShare servers are loadbalanced on an F5 the NetScaler connects to, so basically the NetScaler does KCD against the F5 where the CenShare services are loadbalanced - so with my lab setup i tried to reproduce this scenario and well, I could reproduce the exact same error, but I am somehow stalling on how to fix this).

 

Best regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...