Howto setup Kerberos instead of LDAP with Netscaler Gateway

[Sabine Ludewig1709156713]

Hi there

we would like o use Netscaler Gateway with Kerberos Authentication instead of LDAP and I'm looking for the right documentation.

I'm a bit confused by the variuos methods (Delegation, Impersonation, Contrained delegation).

Would this be the correct way https://support.citrix.com/article/CTX236593/how-to-configure-netscaler-gateway-for-kerberos-constrained-delegation ?

Thanks

 

[Marion Bauer1709159214]

Hi,
if you are doing Kerberos Authentication you need to delegate the authentication to netscaler gateway and implement Citrix FAS to get the SSO Experience to the Desktop.

Kerberos Constraint Delegations works perfectly for websites.

Cause in case of kerberos Auth at the citrix gateway netscaler doesn't know the users password and therefore can't pass it on to storefront. You still can list the applications in storefront (if Trust Requests sent to XML Service is set to true and the Authentication in Storefront is delegated to netscaler) but starting a desktop/Application will result in a Login Prompt.

In Kerberos Constraint Delegation was used with XenApp 6.5 (don't know exactly how) and since 7.x there is Citrix FAS.

 

Best Regards,

Marion