Jump to content
Welcome to our new Citrix community!

Netscaler Cross Forest Kerberos Delegation possible?


Recommended Posts

Hi all. I am currently working as Azure Consultant for a customer and they are running into problems with their Netscaler using it for Kerberos Cross Forest Delegation for Authentication to Exchange 2016.

The setup is very special, so i tried to add a scheme to this post to hopefully make it a little bit more clear.

Basic setup is as follows:

- there are 2 AD forests (no Subdomains) DomainA.com and DomainB.com

- DomainB is the Ressource-Forest where also Exchange 2016 is places

- DomainA is the User-Forest where all user object are. The Exchange mailboxes are linked mailboxes to the user accounts from DomainA.

- DomainControllers are all Server 2019, Domain and Forest Functional Levels are Windows Server 2016. Current patches from Microsoft are installed on all DCs (including the second November CU that fixed Kerberos)

- Exchange in DomainB has multiple CAS servers that are Kerberos enabled using an ASA-Account (according to Microsofts documentation). That setup is up and working.

- A loadbalancer is placed in front of the CAS servers, all SPNs for Exchange URLs are set up in Forest DomainB (as shown on the scheme)

- Netscaler is placed in DMZ, has a virtual service enabled and a Kerberos Service Account located in User-Forest (DomainA). That Netscaler can only communicate to the loadbalancer in front of the Exchange Servers and to the DomainController of DomainA on Kerberos Port tcp/88

- Kerberos Service Account (svcKerberos) has set an SPN in User Domain host/svcKerberos.domainA.com

- Additionally Kerberos Service Account (svcKerberos) has the right to Authenticate on Exchange ASA Object and also has been set as "PrincipalAllowedToDelegateTo" for Exchange ASA Object

- Netscaler is enabled for using Azure for Authentication. That part is working fine.

 

So what did we configure on Netscaler for Kerberos:

According to the Citrix documentation we configured a KDC Account using the Kerberos Service User from DomainA

As Realm we used DOMAINA.COM

As Enterprise Real we used DOMAINB.COM

 

What we want to have:

External User opens the URL bound to Netscaler virtual Service. The user gets redirected to Azure to authenticate and then Netscaler shall use that authentication info to pass it to Exchange (OWA).

Azure authentication is working fine.

 

Now we are just getting an "Malformed Representation of Principal" Error from Kerberos when trying to access the Netscaler URL after user successfully authenticated against Azure. Netscaler only displays a 401 page.

 

The Error log is attached. Maybe anyone can tell if this should work and what we may have missed in our configuration to get things working.

Thank you!

Mon Dec  6 17:08:48 2021
nskrb.c[2358]: nskrb_accept PARENT: 1 children spawned
Mon Dec  6 17:08:48 2021
nskrb.c[2351]: nskrb_accept CHILD: started, processing AAA request
Mon Dec  6 17:08:48 2021
nskrb.c[577]: ns_process_kcd_req username is fa5a0ff5-1497-778f
 
Mon Dec  6 17:08:48 2021
nskrb.c[581]: ns_process_kcd_req user_realm is DOMAINA.COM, user_realmlen is 17
 
Mon Dec  6 17:08:48 2021
nskrb.c[587]: ns_process_kcd_req svc is preowa.domain.com
 
Mon Dec  6 17:08:48 2021
nskrb.c[590]: ns_process_kcd_req gethostbyname succeeded, cname lookup resulted in hostname preowa.domain.com
 
Mon Dec  6 17:08:48 2021
nskrb.c[599]: ns_process_kcd_req realm is DOMAINA.COM, realmlen is 17
 
Mon Dec  6 17:08:48 2021
nskrb.c[605]: ns_process_kcd_req delegated_user len is 13 value is svcKerberos
 
Mon Dec  6 17:08:48 2021
nskrb.c[611]: ns_process_kcd_req password provided, len 89
 
Mon Dec  6 17:08:48 2021
nskrb.c[627]: ns_process_kcd_req enterprise realm is DOMAINB.COM
 
Mon Dec  6 17:08:48 2021
nskrb.c[687]: ns_process_kcd_req using enterprise username fa5a0ff5-1497-778f@DOMAINA.COM@DOMAINB.COM
Mon Dec  6 17:08:48 2021
nskrb.c[692]: ns_process_kcd_req MD5 fa5a0ff5-1497-778fDOMAINA.COMsvcKerberosDOMAINA.COM for s4u cache filename
 
Mon Dec  6 17:08:48 2021
nskrb.c[704]: ns_process_kcd_req MD5 fa5a0ff5-1497-778fDOMAINA.COMpreowa.domain.comDOMAINA.COM for tgs cache filename
 
Mon Dec  6 17:08:48 2021
nskrb.c[718]: ns_process_kcd_req MD5 svcKerberosDOMAINA.COM for tgt cache filename
 
Mon Dec  6 17:08:48 2021
nskrb.c[724]: ns_process_kcd_req tgt ticket cachename is /var/krb/tgt_0_3dec786b1eec36a101f9886fcc7824e7
Mon Dec  6 17:08:48 2021
nskrb.c[725]: ns_process_kcd_req s4u cachename is /var/krb/s4u_0_0664aadbaac403d43c6cafe30b0027c1
Mon Dec  6 17:08:48 2021
nskrb.c[726]: ns_process_kcd_req tgs cachename is /var/krb/tgs_0_8088acbb0004572b261b18e4705be9b7
Mon Dec  6 17:08:48 2021
nskrb.c[728]: ns_process_kcd_req Attempting TGT with svcKerberos@DOMAINA.COM, outcache /var/krb/tgt_0_3dec786b1eec36a101f9886fcc7824e7
Mon Dec  6 17:08:48 2021
nskrb.c[1578]: ns_kinit got TGT in cache, kinit returning
 
Mon Dec  6 17:08:48 2021
nskrb.c[742]: ns_process_kcd_req delegated usernames for cross realm - w-domain: svcKerberos.DOMAINA.COM, wo-domain svcKerberos
Mon Dec  6 17:08:48 2021
nskrb.c[748]: ns_process_kcd_req tgt cachename for cross realm between DOMAINA.COM and DOMAINA.COM is
Mon Dec  6 17:08:48 2021
nskrb.c[757]: ns_process_kcd_req Attempting cross realm TGT for krbtgt/DOMAINA.COM@DOMAINA.COM to store in /var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2    # Cross-realm TGT!
Mon Dec  6 17:08:48 2021
nskrb.c[758]: ns_process_kcd_req Cross realm TGT command is: nskrb kgetcred -c /var/krb/tgt_0_3dec786b1eec36a101f9886fcc7824e7 --out-cache=/var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2 krbtgt/DOMAINA.COM@DOMAINA.COM
Mon Dec  6 17:08:48 2021
nskrb.c[1962]: ns_kgetcred kgetcred cache file /var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2  contains ticket for krbtgt/DOMAINA.COM@DOMAINA.COM  # Cross-realm TGT erhalten!
 
Mon Dec  6 17:08:48 2021
nskrb.c[362]: nskrb_userrealm_is_parent_of_servicerealm user realm DOMAINA.COM, service realm DOMAINA.COM, strstr 0x801425059, len(p) 16, len(user_realm) 16
Mon Dec  6 17:08:48 2021
nskrb.c[801]: ns_process_kcd_req Attempting cross realm intermediary TGS bottom-up (user's tree) for host/svcKerberos.DOMAINA.COM@DOMAINA.COM, input cache /var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2, outcache is /var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2_DOMAINA.COM
Mon Dec  6 17:08:48 2021
nskrb.c[803]: ns_process_kcd_req Cross realm intermediary TGS command (user's tree) is: nskrb kgetcred -c /var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2 --out-cache=/var/krb/tgt_x_0_41b8a0cd5327823915470103cab332f2_DOMAINA.COM --impersonate=fa5a0ff5-1497-778f@DOMAINA.COM@DOMAINB.COM host/svcKerberos.DOMAINA.COM@DOMAINA.COM       
Mon Dec  6 17:08:48 2021
nskrb.c[1935]: ns_kgetcred krb5_parse_name for fa5a0ff5-1497-778f@DOMAINA.COM@DOMAINB.COM returned -1765328250      
 
Mon Dec  6 17:08:48 2021
nskrb.c[806]: ns_process_kcd_req Error obtaining cross realm s4u2self ticket in service's tree for fa5a0ff5-1497-778f@DOMAINA.COM@DOMAINB.COM

 

CrossForestKerberosSetup.jpg

Link to comment
Share on other sites

Hi Daniel,

 

let's check a few things for kerberos:

 

- Which ADC Firmware Version you are using?

- Is the exchange server bound to the adc configured by fqdn or ip?

- Is DNS configured on your ADC with DNS UDP+TCP?

- Is NSIP and SNIP of the ADC able to communicate with DCs via 88 TCP and 88 UDP?

- Is AAA traffic policy configured for owa kerberos SSO getting hits?

- Is the command nskrb klist -c S4UXXX showing corrrect UPNs of the users?

 

There is a similar one in https://discussions.citrix.com/topic/401449-kerberos-cross-realm-authentication-not-working-for-subdomain/ 

 

Best Regards

Julian

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...