Jump to content
Welcome to our new Citrix community!

ADC Kerberos Impersonation to 401 based AAA on another ADC

Recommended Posts



We are having a scenario where we have an internal ADC pair which is doing content switching for a website and a DMZ ADC pair which is basically doing forms based AAA for external users via LDAP and handles reverse proxy of the internal content switching ADC VIP. Users are authenticated using Kerberos to the backend (Apache) webservers. This is either done directly for internal users or handled by Netscaler Kerberos Impersonation for external users - both is working fine.


We now have added another service to the internal CS vServer where the backend cannot handle SSO via Kerberos (or NTLM). To still achieve SSO an internal 401 based AAA vServer has been added in front to the internal non-adressable vServer behind the internal CS vServer which allows us to do an LDAP lookup after decrypting the Kerberos TGS tiket and inject the login information as required into a key-value pair in the header for backend requests to the application - this is also working fine for internal users. Users can achieve SSO via Kerberos although not supported by the actual backend application.


Now the problem: While ADC seems to have no issues handling Kerberos Impersonation against backends it seems to have issues when AAA vServers are being chained like in this case. So for a user logging on externally via ADC it seems to be unable to handle SSO via Kerberos impersonation to another ADC provided 401 based AAA (while this seems to be no issue to non-ADC based 401s). The result is that the user is redirected to the login page again when entering valid credentials. When taking a look at the Kerberos debug on the external ADC the TGS for the backend is requested properly so it seems if just an issue of handling the redirect correctly. 


Conclusion: There just seems to be some hickup when chaining two ADC AAA servers in terms of session cookies. Just unbinding the frontend AAA from the non-adressable vServer will result in a 401 in the browser for external users, unbind the backend will take you to the native application login page, either one therefore is working like expected for its own.


Can anyone confirm if chaining a froms based AAA on ADC to a backend 401 based AAA on another ADC is a supported scenario?


Currently I'll guess we'll have to directly open ports between the new backend from the DMZ ADC to the actual backend server so we bypass the internal ADC


Note: This is not about https://discussions.citrix.com/topic/368153-netscaler-aaa-form-sso-integrated-auth/, in this case the described secenario is already working. It only doesn't work if the 401 backend is also Netscaler/ADC



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...