Jump to content
Welcome to our new Citrix community!

NetScaler SAML auth and SSO to Power BI Report Server


Recommended Posts

Has anyone configured SAML auth against an external SP then done SSO (via kerberos delegation) to Power BI Report Server? (Or SQL Server Reporting Services... same thing)

 

I've configured the SAML auth, user gets authenticated, kerberos ticket issued, but the Power BI server returns a 401 unauthorised message.  By default it's configured for Negotiate auth which includes Kerberos and NTLM so not sure why it's failing.  Logging on the Power BI side seems to be minimal to none so I'm not getting far with it.

 

Regards

Dan

Link to comment
Share on other sites

Hi Julian, as below (sanitized).  I have an SPN setup for HTTP/SARHN-MIV-PBI@AD.DOMAIN.COM against my service account, and the account is configured for delegation.

 

A packet trace shows the Power BI server issuing a Negotiate challenge, but returning 401 when the NetScaler supplies what I presume is the kerberos ticket. 

 

I"m not strong on Kerberos, so trying to ensure the NetScaler is correct before I push back on the server team to investigate their side.  I've not been able to find a good guide that covers kerberos where the external FQDN, the user UPN and internal AD domain are all different.

 

Regards

Dan

 

root@CTXVPX01# cat /tmp/nskrb.debug
Tue Sep 17 12:14:07 2019
 nskrb.c[2094]: nskrb_accept PARENT: 1 children spawned
Tue Sep 17 12:14:07 2019
 nskrb.c[2087]: nskrb_accept CHILD: started, processing AAA request
Tue Sep 17 12:14:07 2019
 nskrb.c[397]: ns_process_kcd_req username is demo

Tue Sep 17 12:14:07 2019
 nskrb.c[401]: ns_process_kcd_req user_realm is AD.DOMAIN.COM, user_realmlen is 29

Tue Sep 17 12:14:07 2019
 nskrb.c[407]: ns_process_kcd_req svc is SERVER

Tue Sep 17 12:14:07 2019
 nskrb.c[414]: ns_process_kcd_req gethostbyname failed

Tue Sep 17 12:14:07 2019
 nskrb.c[419]: ns_process_kcd_req realm is AD.DOMAIN.COM, realmlen is 29

Tue Sep 17 12:14:07 2019
 nskrb.c[425]: ns_process_kcd_req delegated_user len is 11 value is svc_ctxkrb

Tue Sep 17 12:14:07 2019
 nskrb.c[431]: ns_process_kcd_req password provided, len 89

Tue Sep 17 12:14:07 2019
 nskrb.c[501]: ns_process_kcd_req user non-enterprise username demo@AD.DOMAIN.COM
Tue Sep 17 12:14:07 2019
 nskrb.c[509]: ns_process_kcd_req MD5 demoAD.DOMAIN.COMsvc_ctxkrbAD.DOMAIN.COM for s4u cache filename

Tue Sep 17 12:14:07 2019
 nskrb.c[521]: ns_process_kcd_req MD5 demoAD.DOMAIN.COMSERVERAD.DOMAIN.COM for tgs cache filename

Tue Sep 17 12:14:07 2019
 nskrb.c[535]: ns_process_kcd_req MD5 svc_ctxkrbAD.DOMAIN.COM for tgt cache filename

Tue Sep 17 12:14:07 2019
 nskrb.c[541]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_22901a7dcfc9f2118834485dc4f0a613
Tue Sep 17 12:14:07 2019
 nskrb.c[542]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_65691b75c2212db2ef8ed41fed41c709
Tue Sep 17 12:14:07 2019
 nskrb.c[543]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_3993324cf94af0c17a215e7f2797b679
Tue Sep 17 12:14:07 2019
 nskrb.c[545]: ns_process_kcd_req Attempting TGT with svc_ctxkrb@AD.DOMAIN.COM, outcache /var/krb/tgt_0_22901a7dcfc9f2118834485dc4f0a613
Tue Sep 17 12:14:07 2019
 nskrb.c[1314]: ns_kinit got TGT in cache, kinit returning

Tue Sep 17 12:14:07 2019
 nskrb.c[643]: ns_process_kcd_req Attempting S4U2Self with svc_ctxkrb@AD.DOMAIN.COM, for demo@AD.DOMAIN.COM
Tue Sep 17 12:14:07 2019
 nskrb.c[1738]: ns_kgetcred cache file /var/krb/s4u_0_65691b75c2212db2ef8ed41fed41c709 does not exist

Tue Sep 17 12:14:07 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 17 12:14:07 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm AD.DOMAIN.COM tcp.kerberos -> 0
Tue Sep 17 12:14:07 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host hc-dc2-ad.AD.DOMAIN.COM in realm AD.DOMAIN.COM
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host hc-ad.AD.DOMAIN.COM in realm AD.DOMAIN.COM
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'AD.DOMAIN.COM' using protocol 1
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm AD.DOMAIN.COM = 0
Tue Sep 17 12:14:08 2019
 nskrb.c[1805]: ns_kgetcred krb5_get_creds returned 0, svcname svc_ctxkrb@AD.DOMAIN.COM, impersonate str demo@AD.DOMAIN.COM, deleg NULL outcache /var/krb/s4u_0_65691b75c2212db2ef8ed41fed41c709

Tue Sep 17 12:14:08 2019
 nskrb.c[1878]: ns_kgetcred successfully wrote credentials to cache file /var/krb/s4u_0_65691b75c2212db2ef8ed41fed41c709

Tue Sep 17 12:14:08 2019
 nskrb.c[666]: ns_process_kcd_req service name for s4u2proxy is HTTP/SERVER@AD.DOMAIN.COM

Tue Sep 17 12:14:08 2019
 nskrb.c[1738]: ns_kgetcred cache file /var/krb/tgs_0_3993324cf94af0c17a215e7f2797b679 does not exist

Tue Sep 17 12:14:08 2019
 krbhst.c[672]: kdc_get_next attempting tcp srv lookup for kerberos service
Tue Sep 17 12:14:08 2019
 krbhst.c[447]: srv_get_hosts searching DNS for realm AD.DOMAIN.COM tcp.kerberos -> 0
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[441]: krb5_sendto trying to communicate with host hc-ad.AD.DOMAIN.COM in realm AD.DOMAIN.COM
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[486]: krb5_sendto sending request to kdc for realm 'AD.DOMAIN.COM' using protocol 1
Tue Sep 17 12:14:08 2019
 send_to_kdc.c[514]: krb5_sendto result of trying to talk to realm AD.DOMAIN.COM = 0
Tue Sep 17 12:14:08 2019
 nskrb.c[1805]: ns_kgetcred krb5_get_creds returned 0, svcname HTTP/SERVER@AD.DOMAIN.COM, impersonate str NULL, deleg /var/krb/s4u_0_65691b75c2212db2ef8ed41fed41c709 outcache /var/krb/tgs_0_3993324cf94af0c17a215e7f2797b679

Tue Sep 17 12:14:08 2019
 nskrb.c[1848]: ns_kgetcred length of delegated data is 0
Tue Sep 17 12:14:08 2019
 nskrb.c[1522]: ns_serialize_creds client name in creds: demo@AD.DOMAIN.COM

Tue Sep 17 12:14:08 2019
 nskrb.c[1535]: ns_serialize_creds client name in creds:len 33 demo@AD.DOMAIN.COM

Tue Sep 17 12:14:08 2019
 nskrb.c[1546]: ns_serialize_creds server name in creds:len 47 HTTP/SERVER@AD.DOMAIN.COM

Tue Sep 17 12:14:08 2019
 nskrb.c[1558]: ns_serialize_creds keytype is 18, keylen is 32

Tue Sep 17 12:14:08 2019
 nskrb.c[1566]: ns_serialize_creds times  1568676043, 1568688247, 1568712043, 1568762443, total len 32

Tue Sep 17 12:14:08 2019
 nskrb.c[1581]: ns_serialize_creds ticket len is 1358, second ticket len is 0

Tue Sep 17 12:14:08 2019
 nskrb.c[1605]: ns_serialize_creds total credentials length is 1518

Tue Sep 17 12:14:08 2019
 nskrb.c[681]: ns_process_kcd_req serialized creds len is 1522

^C
root@CTXVPX01#
 

Link to comment
Share on other sites

Could you please try the following (this is my default kerberos setup and I know it works (tested with exchange, sharepoint,...)

 

Example:

 

ADC AD Service User: svc_adckerb

Internal AD FQDN: owa.domain.internal

Public FQDN: owa.domain.external

Exchange FQDN: SRV-EXCHANGE.domain.internal

 

So you have to create the SPN for the ADC Serviceuser (not for your Host or Webserver!):

 

setspn -A host/svc_adckerb.domain.internal INTERNAL\svc_adckerb

 

Go to the Delegation Tab in AD for svc_adckerb User:

- Trust this user for delegation to specified services only

- Use any authentication protocol

 

Service Type:

http SRV-EXCHANGE.domain.internal

www SRV-EXCHANGE.domain.internal

 

I hope this helps.

Regards

Julian

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...