Jump to content
Welcome to our new Citrix community!

NetScaler as SQL Authentication Proxy to Kerberos

Recommended Posts

Hello everyone,


so I have had this weird but at least very interesting request, where I got a bit stuck now and wanted to know, if anyone has ever had an idea like this or know if it is even remotely possible to achieve.


Request is as follows:

A specific ("self coded") application needs to authenticate to SQL-Server and only supports SQL Authentication and not Windows Integrated.

For security compliance, the target SQL Server does not support SQL Authentication - only Windows Integrated (Kerberos/NTLM Fallback). The customer doesn't want to change this and we tried to figure out, if NetScaler can help here.

The idea is: the application connects and authenticates against LB vSrv on NetScaler (with MSSQL protocol) where a db-profile is bound with a KCD-account attached to it. So basically the NetScaler would proxy the authentication, offering SQL auth in front end to the mentioned application and does KCD itself towards backend SQL server. 

For reference I have used this article(s):


https://docplayer.net/6873814-Configuration-of-kerberos-constrained-delegation-on-netscaler-revision-history.html ( a bit more detailed but more or less the same)


I know that the intention of these articles is a different one, but I hope to use advantages for my purpose.


The only point I am stuck right now is the frontend authentication. Even though I can create a "database user" on NetScaler (which for me represents SQL User/Auth) I cannot "bind" it to anything. Meaning I cannot tell the NetScaler to accept the credentials of this Database user, I can only set a kcd-account in my database profile which i bind to the LB vSrv.

So I'm not sure if it is just not possible to achieve what I want to do or if I am missing something in my thought-process / configuration.

I know this is a special request where probably not much ppl have experience with and I don't need a "full" solution, I basically just want to know if I am wasting my time trying to achieve the configuration or if it's possible with some configuration adjustments.


Thanks a lot in advance!


best regards


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...