Jump to content
Welcome to our new Citrix community!

Login to backend-server with username/ password.


Henrik Frisk

Recommended Posts

Hi.
I have a task where I'm asked to create a LB.server that have to do a simple authentication to the backend-server with a local create username/ password before a connection is allowed.
I'm not talking Citrix Gateway and I'm not talking LDAP or Radius. :-) The server guys have just created a local user with a password which the Netscaler(ADC) is going to use.

 

I suppose it's something that should be specified at the service since it's the component talking to the server.

 

Can anyone give me a hint on this?

 

Regards
Henrik

Link to comment
Share on other sites

Just to make intents clear: do you want to insert the same username/password for every call going through the ADC?

Or does every user have his/her own credentials which need to be pushed to the backend?

But you still want AAA?

 

 

If your backend application supports an API call, you could configure WebAuth on the AAA module to allow for AAA to validate the credentials against the backend application.

Link to comment
Share on other sites

Sorry for my delayed answer.
The customer would like the Netscaler-service to access the backend-servers with a username/ password created locally on the servers.

So it's only for internal Netscaler use. 

 

The client's request is authenticated by its certificate and does not pass this log in. The customer is just asking for this additional check between the Netscaler and the backend-server.

 

I have suggested using a self-signed cert instead, but the customer will prefer to use a local user.

So to make it clear: There should be no user interaction. The NS just have to use this local login when starting a session. 

 

I do not know if it will work at all!

 

Link to comment
Share on other sites

I would first check how the web server does the authentication. Do we address a URL with parameters or do we have to send certain content in the HTML BODY, or or.


If this is clear, a WebAuth can be built that can also be done with a static user and password.

Where I am not sure whether it works using nFactor without asking for a user and password (NOSCHEMA) to use WebAuth.

Link to comment
Share on other sites

41 minutes ago, Henrik Frisk said:

The customer would like the Netscaler-service to access the backend-servers with a username/ password created locally on the servers.

So it's only for internal Netscaler use. 

 

The service cannot do this, but e.g. an http-ecv monitor can be built that queries a specific URL and checks the response.
This would mean the service DOWN if the answer is incorrect because e.g. the user is no longer valid in the target system.

But this is only possible if the login works via a URL call with parameters

Link to comment
Share on other sites

Hi Martin Meier.

 

Think you right. I need to ask some more questions. They must be able to tell me what their server excepts from the Netscaler.
My first thought was that a Service somehow could pass a username/ password to the backend-sever before getting access.

But you lead me more in the direction of a monitor. (Maybe http-ecv monitor/ URL). 

 

Thanks, I really appreciate your responses.

 

Henrik

Link to comment
Share on other sites

  • 1 month later...

Hi again.

 

I finally found a solution to the login issue with a static username/ password.
It could be done with a Rewrite-Action. But first I had to convert the username/ password to a Base64encoded string. 

 

CLI SHELL:

# echo -n MyUsername:MyPassword | b64encode  -m  - | sed -n '2p'

O82NB4rNjDpUYdtlM0NkYWlYcp==

 

So this string is the combination of both username and password.

 

Create Rewrite Action:

add rewrite action rewrite_act_User-Pass-login insert_http_header Authorization "\"Basic O82NB4rNjDpUYdtlM0NDYWlYcp==\"" -comment "Base64encoded username-password"

 

Create Rewrite Policy:

add rewrite policy rewrite_pol_User-Pass-login TRUE rewrite_act_User-Pass-login

 

Bind to LB.server:

bind lb vserver MyServer.lb.server -policyName rewrite_pol_User-Pass-login -priority 100 -gotoPriorityExpression END -type REQUEST
 

Maybe someone else can use this method.

 

/Henrik

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...