Jump to content
Welcome to our new Citrix community!

SSL Offloading to Windows Servers using SSO auth not working (not OWA)


Eric Culp

Recommended Posts

My company is working to replace a Microsoft TMG Forefront server.  Client enters URL https://landing.company.com and then is sent to TMG to authenticate against LDAP.  TMG then knows who the client is so that if they go to https://landing.company.com or https://subdomain1.company.com or https://subdomain2.company.com (and so on) then there is no additional logon for user/pass.  TMG communicates to the back end servers over http (port 80) using the same wildcard certficate, *.company.com for example.  I believe this is referred to as SSL offloading(?).  I'm a bit over my head on this so forgive me if I'm off on my terminology.  

 

I found a few articles that helped with Microsoft OWA and that is working fine now but the other websites/services mentioned are a mix of Microsoft, other third party softwares and some internally developed code.  All of these websites/services are setup to use Windows authentication though.  IIS has NTLM as an authenitcation method for each of these.

 

We are using a Netscaler ADC VPX (200), aka NG, release NS13.0 52.24.nc.  to replace the VPN and SSO portion of TMG.  After much work we ended up on using a full VPN solution with split DNS setup.  We tried other configurations such as clientless VPN but they didn't pan out.  We have our NG setup so that we go to https://landing.company.com and we log onto the NG using LDAP against Microsoft AD.  This part works fine. 

Using DNS we had tried simply point subdomain1.company.com to the internal IP and when going to http://subdomain1.company.com (non-secure page) the page might come up properly (depending on what service/product subdomain1 was pointed to).  On multiple websites/services simply using http, non-secure, the respective pages would either partially load - missing some items or some items wouldn't work or the pages simply wouldn't load at all.  What I'm having problems with is getting it so that https://subdomain1.company.com or https://subdomain2.company.com don't ask for user/pass again.  If the client uses https for these same subdomains the webpages/services would work, but only after entering Windows AD credentials again for each subdomain. I understand why this doesn't pass the user/pass along over https going directly to the subdomain's back end server. 

 

I decided to use NG to try to SSL offload using load balancing servers and after reading dozens of webpages (both Citrix created and server admin created) and failing a lot to even get a load balancing server to display the website/service.  I couldn't even get to being prompted for a user/pass to access the website/service that the load balancing server was service bound to.  To make any real progress I finally stumbled upon this gem here.  Following that guide there the client gets a username and password prompt and upon entering AD credentials they can get to the website/service.

For example now I have NG setup so that a load balancing server exists on 10.199.255.20 and has a service bound to the back end server on 10.1.192.110.  I have setup subdomain1.company.com to point at 10.199.255.20 in DNS.  Now opening https://subdomain1.company.com prompts for a user/pass.  I know it's going through the load balancing server because if I disable that then the page doesn't respond (as expected).

 

So, I feel like I've made some progress in the right direction but I cannot figure out why I can't get NG to "pass" the credentials to the back end server without a client needing to enter them again.  I feel like I'm missing something basic here but I've fiddled around a lot in SSL Session Policies, SSL Parameters, etc. and still can't figure it out.  What could I be missing so that when a client enters a FQDN such as https://subdomain1.company.com that is being directed to NG that NG will use the information that we entered to get logged onto the NG VPN and 'landing' page?  Thanks for any help you can provide.

 

Link to comment
Share on other sites

12 minutes ago, Eric Culp said:

My company is working to replace a Microsoft TMG Forefront server.  Client enters URL https://landing.company.com and then is sent to TMG to authenticate against LDAP.  TMG then knows who the client is so that if they go to https://landing.company.com or https://subdomain1.company.com or https://subdomain2.company.com (and so on) then there is no additional logon for user/pass.  TMG communicates to the back end servers over http (port 80) using the same wildcard certficate, *.company.com for example.  I believe this is referred to as SSL offloading(?).  I'm a bit over my head on this so forgive me if I'm off on my terminology.  

 

I found a few articles that helped with Microsoft OWA and that is working fine now but the other websites/services mentioned are a mix of Microsoft, other third party softwares and some internally developed code.  All of these websites/services are setup to use Windows authentication though.  IIS has NTLM as an authenitcation method for each of these.

 

We are using a Netscaler ADC VPX (200), aka NG, release NS13.0 52.24.nc.  to replace the VPN and SSO portion of TMG.  After much work we ended up on using a full VPN solution with split DNS setup.  We tried other configurations such as clientless VPN but they didn't pan out.  We have our NG setup so that we go to https://landing.company.com and we log onto the NG using LDAP against Microsoft AD.  This part works fine. 

Using DNS we had tried simply point subdomain1.company.com to the internal IP and when going to http://subdomain1.company.com (non-secure page) the page might come up properly (depending on what service/product subdomain1 was pointed to).  On multiple websites/services simply using http, non-secure, the respective pages would either partially load - missing some items or some items wouldn't work or the pages simply wouldn't load at all.  What I'm having problems with is getting it so that https://subdomain1.company.com or https://subdomain2.company.com don't ask for user/pass again.  If the client uses https for these same subdomains the webpages/services would work, but only after entering Windows AD credentials again for each subdomain. I understand why this doesn't pass the user/pass along over https going directly to the subdomain's back end server. 

 

I decided to use NG to try to SSL offload using load balancing servers and after reading dozens of webpages (both Citrix created and server admin created) and failing a lot to even get a load balancing server to display the website/service.  I couldn't even get to being prompted for a user/pass to access the website/service that the load balancing server was service bound to.  To make any real progress I finally stumbled upon this gem here.  Following that guide there the client gets a username and password prompt and upon entering AD credentials they can get to the website/service.

For example now I have NG setup so that a load balancing server exists on 10.199.255.20 and has a service bound to the back end server on 10.1.192.110.  I have setup subdomain1.company.com to point at 10.199.255.20 in DNS.  Now opening https://subdomain1.company.com prompts for a user/pass.  I know it's going through the load balancing server because if I disable that then the page doesn't respond (as expected).

 

So, I feel like I've made some progress in the right direction but I cannot figure out why I can't get NG to "pass" the credentials to the back end server without a client needing to enter them again.  I feel like I'm missing something basic here but I've fiddled around a lot in SSL Session Policies, SSL Parameters, etc. and still can't figure it out.  What could I be missing so that when a client enters a FQDN such as https://subdomain1.company.com that is being directed to NG that NG will use the information that we entered to get logged onto the NG VPN and 'landing' page?  Thanks for any help you can provide.

 

Hi Eric,

 

I would suggest you to have a look here: 

 

https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-sso/ng-plugin-sso-web-apps-tsk.html

 

Thanks

Arnaud

Link to comment
Share on other sites

Arnaud, thank you for that article but both subdomains still prompt for credentials when I attempt to go to FQDNs that are mapped to two (individual) web servers.  I've made sure the client has cleared his browser history cache and have tried multiple computers and at least two different browsers on each computer.

Link to comment
Share on other sites

15 minutes ago, Arnaud Pain said:

Eric,

 

The idea is to point user to a AAA vServer for authentication, and based on URL entered redirect to each LB vServer.

 

Thanks

Arnaud

 

I think I may understand but I'm still fuzzy on the details.  We have a AAA vServer that is setup with an authentication policy for LDAP. There are currently no policies on this vserver. Would I need to add a policy to that AAA vserver for content switching that has a content switching policy that looks for something along the lines of HTTP.REQ.URL...("subdomain") and then that'd force the authentication?  Could you provide an example?

Link to comment
Share on other sites

2 minutes ago, Eric Culp said:

 

I think I may understand but I'm still fuzzy on the details.  We have a AAA vServer that is setup with an authentication policy for LDAP. There are currently no policies on this vserver. Would I need to add a policy to that AAA vserver for content switching that has a content switching policy that looks for something along the lines of HTTP.REQ.URL...("subdomain") and then that'd force the authentication?  Could you provide an example?

 

Eirc,

 

you can find details here: https://docs.citrix.com/en-us/citrix-adc/current-release/content-switching/basic-configuration.html

 

You need to create an action to and target your LB vServer

 

Thanks

Arnaud

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...