Kerberos authentication breaks through loadbalancer

Currently using NS12.1 51.19.nc.


I'm trying to load balance Topdesk which uses Kerberos to authenticate.

These are all windows domain users so when they use their browser to log into Topdesk it automatically uses their domain credentials.

However when attempting to log in to Topdesk using kerberos through a loadbalancer the kerberos authentication breaks.


This is not completely new to me because I ran into a similar issue when trying to access Topdesk through the SecureWeb micro VPN.

This was solved by using the below blog to set up a dummy KCD account and using a traffic policy which solved the problem.



However when I try to the do the same using the same KCD account and a traffic policy, the authentication still fails. I also do not see any entries in my /var/log/ns.log when attempting to log in.

What I have done so far:

- Created traffic policy policy with expression TRUE that has a traffic profile that has Single Sign-on enabled and the KDC account bound, basically mirroring the session policy that is bound to my gateway This does nothing it seems

- Created a AAA-vServer with LDAP and binding it to loadbalancer, this prompts the user for credentials and will then SSO to Topdesk which makes sense because the netscaler then has credentials to use, but this requires me to log in manually and I don't want to have to do that since I don't have to do that now either.


So I would need a method to either automate the login to the AAA-vServer so the netscaler automatically logs in using the domain credentials of the user.

OR (preferably) I create a simple policy like I did for the gateway to un-break the kerberos to the back-end.

I've found all these posts and guides but all require extensive configuration and I figured there must be a easier way at this point.

Any advice or tips or am I stuck building these more complicated setups?

