Jump to content
Welcome to our new Citrix community!

Kerberos constrained delegation with loadbalancing vserver


Recommended Posts

i'm  trying to set up a loadbalancing vserver with kerberos authentication - basically like described here: https://www.citrix.com/blogs/2016/02/23/kerberos-authentication-with-ntlm-fallback-kcd-sso-to-the-backend/ but without NTLM, i.e. kerberos only.

The idea is that a client authenticates against the loadbalancer and gets a kerberos ticket for the loadbalancers name and the loadbalancer should obtain a kerberos ticket in behalf of the user for the backend service. That way it should be possilble to use single sign on with a common url that is loadbalanced to multiple backend servers with different names.

After following several guides to configure the netscaler adc (but the one above matches the best)  i'm stuck now at one point where i dont make any progress.

While the initial authentication between client and netscaler does work, an error occurs where the netscaler tries to get an ticket for the backend service.

In wireshark i see the error message "KRB Error: KRB5KDC_ERR_BADOPTION" coming from the domain controler. Probably this is because of the Options in tgs-req where "request-anonymous" is set to "true" (visible in wireshark too).

For me it seems like the loadbalancer does not give any frontend-user information (user name, ticket whatever) to the backend and is instead using the "anonymous" request.

in nskrb.debug the error is visible too:

Tue May 12 15:12:13 2020

nskrb.c[1941]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/my_valid_identifier , impersonate str NULL, deleg /var/krb/s4u_0_6abefc08dfb304a34afa65c280dd01d9 outcache /var/krb/tgs_0_b532bb206050e05b7fc9614ba604e637

Tue May 12 15:12:13 2020

nskrb.c[1946]: ns_kgetcred krb5_get_creds returned -1765328371

Tue May 12 15:12:13 2020

nskrb.c[804]: ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328371

 

maybe someone had this error already or has any hint where i have to tweak the configuration?

Link to comment
Share on other sites

5 hours ago, Ramon Schoumlnborn said:

i'm  trying to set up a loadbalancing vserver with kerberos authentication - basically like described here: https://www.citrix.com/blogs/2016/02/23/kerberos-authentication-with-ntlm-fallback-kcd-sso-to-the-backend/ but without NTLM, i.e. kerberos only.

The idea is that a client authenticates against the loadbalancer and gets a kerberos ticket for the loadbalancers name and the loadbalancer should obtain a kerberos ticket in behalf of the user for the backend service. That way it should be possilble to use single sign on with a common url that is loadbalanced to multiple backend servers with different names.

After following several guides to configure the netscaler adc (but the one above matches the best)  i'm stuck now at one point where i dont make any progress.

While the initial authentication between client and netscaler does work, an error occurs where the netscaler tries to get an ticket for the backend service.

In wireshark i see the error message "KRB Error: KRB5KDC_ERR_BADOPTION" coming from the domain controler. Probably this is because of the Options in tgs-req where "request-anonymous" is set to "true" (visible in wireshark too).

For me it seems like the loadbalancer does not give any frontend-user information (user name, ticket whatever) to the backend and is instead using the "anonymous" request.

in nskrb.debug the error is visible too:

Tue May 12 15:12:13 2020

nskrb.c[1941]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/my_valid_identifier , impersonate str NULL, deleg /var/krb/s4u_0_6abefc08dfb304a34afa65c280dd01d9 outcache /var/krb/tgs_0_b532bb206050e05b7fc9614ba604e637

Tue May 12 15:12:13 2020

nskrb.c[1946]: ns_kgetcred krb5_get_creds returned -1765328371

Tue May 12 15:12:13 2020

nskrb.c[804]: ns_process_kcd_req s4u2proxy sending reject to kernel because of error -1765328371

 

maybe someone had this error already or has any hint where i have to tweak the configuration?

 

Ticket for the delegated user is sent to the KCD as seen by "deleg /var/krb/s4u_0_6abefc08dfb304a34afa65c280dd01d9 outcache /var/krb/tgs_0_b532bb206050e05b7fc9614ba604e637". KDC_ERR_BADOPTION from the KDC means that the KrbFlags set in the KdcOptions sent to the server are not allowed. See for example https://docs.microsoft.com/en-us/archive/blogs/askds/kerberos-errors-in-network-captures. I would check for any of the 4 problems mentioned in the Microsoft link and be sure that you have followed all the steps in https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/ns-aaa-sso-con/ns-aaa-sso-setup-tsk/ns-aaa-sso-setup-configuring-tsk/ns-aaa-sso-setup-configuring-delegation-tsk.html under "To configure delegation for the Kerberos service account".

Also, Microsoft has this old document. Check that you have followed all prerequisites for the use of constrained delegation: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10).

 

Regards,

Jesper

 

Link to comment
Share on other sites

thank you very much for your help!

 

19 hours ago, jgroth_112 said:

KDC_ERR_BADOPTION from the KDC means that the KrbFlags set in the KdcOptions sent to the server are not allowed. See for example https://docs.microsoft.com/en-us/archive/blogs/askds/kerberos-errors-in-network-captures.

thats why i thought the "request-anonymous" kdc option might be the problem here because it is the most unusual option compared to successfull ticket requests that i've seen so far in other cases. 

 

19 hours ago, jgroth_112 said:

I would check for any of the 4 problems mentioned in the Microsoft link and be sure that you have followed all the steps in https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/ns-aaa-sso-con/ns-aaa-sso-setup-tsk/ns-aaa-sso-setup-configuring-tsk/ns-aaa-sso-setup-configuring-delegation-tsk.html under "To configure delegation for the Kerberos service account".

i checked them and 1. / 2. seems ok : the service account is configured on the netscaler adc as an kcd account with keytab (tried user + password too, doesnt matter) and the account is configured for constrained delegation for the backend services

image.thumb.png.e287462be7e15f5751db6fdd8b2087cd.png

 

the entries there are fqdn for both of the possible backend servers (the names like in the nskrb.debug log above (svcname HTTP/my_valid_identifier), but without the @REALM suffix.

That service name also appears in the wireshark req-body as part of the "TGS-REQ":

image.thumb.png.b804d57cc7e096cebfe1d87538092334.png

3. the user account i use is not marked as sensitive 

4. i dont think this is the case here 

 

19 hours ago, jgroth_112 said:

Also, Microsoft has this old document. Check that you have followed all prerequisites for the use of constrained delegation: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10).

 

 

i checked the other references too, but i cant find differences to my setup.

 

Link to comment
Share on other sites

i did one small change in my setup last time - without mentioning it:

the netscaler KCD Account was changed from "Use Kerberos only" to "use any authentication protocol"  in the AD Delegation settings dialog (see Screenshot above). It did not work afterwards - i guess because of some caching issues. But when i tested yesterday it worked!

In order to make sure that this was the mistake, i did set it back and a few hours later the error was back too.

So - thank you for pointing to the right direction!

A note for others that try to configure a setup like that: it is not necessary that the aaa vserver is actually reachable and DNS-configured. It works with a "fake" ip (e.g. 1.2.3.4) where  the state is shown as "down".

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...