Jump to content
Welcome to our new Citrix community!

ADC VPX Kerberos Cache issue

Recommended Posts



I got a problem with the kerberos cache in a ADC VPX Appliance. 

We got a LB for a single server. This LB got a authenticationpolicy pointing to a AAA-server with 401 based authentication. This aaa got a session policy with a kcd account.

The application behind the LB needs "negotiate" authentication. 


Everything works fine, the aaa sends a 401 to the client, it responses and the session policy successfully authenticates the user agains the service behind the LB.


Now the problem: Sometimes the authentication won't work after it worked for a while. I have to submit


 nsapimgr_wr.sh -ys call=ns_aaa_flush_kerberos_tickets


after that everything works as expected. I can't find any problem in the ns.log.


Is there a way to autopurge those tickets? Or any other idea?


Best regards




Link to comment
Share on other sites

  • 1 month later...

For everyone trying to figure that out:

We found that while Netscaler trying to get the kerberos ticket, it doesn't seem to obey its ad-site and just picking one entry from the dns for its dc.

We forced netscaler with

add dns srvRec _kerberos._tcp.vlab.ctx dc.vlab.ctx -priority 0 -weight 100 -port 88

to a dc in its site and everything startet working perfectly.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...