Jens Ostkamp Posted May 20, 2021 Share Posted May 20, 2021 Hello everyone, so I have had this weird but at least very interesting request, where I got a bit stuck now and wanted to know, if anyone has ever had an idea like this or know if it is even remotely possible to achieve. Request is as follows: A specific ("self coded") application needs to authenticate to SQL-Server and only supports SQL Authentication and not Windows Integrated. For security compliance, the target SQL Server does not support SQL Authentication - only Windows Integrated (Kerberos/NTLM Fallback). The customer doesn't want to change this and we tried to figure out, if NetScaler can help here. The idea is: the application connects and authenticates against LB vSrv on NetScaler (with MSSQL protocol) where a db-profile is bound with a KCD-account attached to it. So basically the NetScaler would proxy the authentication, offering SQL auth in front end to the mentioned application and does KCD itself towards backend SQL server. For reference I have used this article(s): https://support.citrix.com/article/CTX202004 https://docplayer.net/6873814-Configuration-of-kerberos-constrained-delegation-on-netscaler-revision-history.html ( a bit more detailed but more or less the same) I know that the intention of these articles is a different one, but I hope to use advantages for my purpose. The only point I am stuck right now is the frontend authentication. Even though I can create a "database user" on NetScaler (which for me represents SQL User/Auth) I cannot "bind" it to anything. Meaning I cannot tell the NetScaler to accept the credentials of this Database user, I can only set a kcd-account in my database profile which i bind to the LB vSrv. So I'm not sure if it is just not possible to achieve what I want to do or if I am missing something in my thought-process / configuration. I know this is a special request where probably not much ppl have experience with and I don't need a "full" solution, I basically just want to know if I am wasting my time trying to achieve the configuration or if it's possible with some configuration adjustments. Thanks a lot in advance! best regards Jens Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now