Kerberos constrained delegation stops working

[Stefan Wendrich1709160263]

Hi,

we use an internal vserver to do kerberos constrained delegation for active sync clients against exchange 2016. This works well, the most of the time.

But without an explanation, the service stops working. The only way to fix it, to disable the vserver, wait 15 minutes and enables the vserver again. Then all is good.

 

Has someone any idea what the problem could be?

At the moment we have NS13.1 49.13.nc running, but the error has existed since some older versions.

[Jens Ostkamp]

6 hours ago, Stefan Wendrich1709160263 said:

Hi,

we use an internal vserver to do kerberos constrained delegation for active sync clients against exchange 2016. This works well, the most of the time.

But without an explanation, the service stops working. The only way to fix it, to disable the vserver, wait 15 minutes and enables the vserver again. Then all is good.

 

Has someone any idea what the problem could be?

At the moment we have NS13.1 49.13.nc running, but the error has existed since some older versions.

 

Could be a lot. Kerberos in general is DNS and time dependant. Check if your Appliance can resolve all necessary dns-records and if system time fits "real" time

[Stefan Wendrich1709160263]

We did a packet trace and cannot see any packets coming from the ipad. After we disable the vserver, wait 15 minutes and enable it again. it works.

For my understanding, the adc doesnt acknowledge the tcp packets from the ipad.

 

The question, how can i troubleshoot this?

[Stefan Wendrich1709160263]

It’s a lot stranger. At the time where we don’t see any packets in the dump started on the netscaler, we started a trace on our access point. There we see packets coming from the adc. Much rst ack packets, out of order or fast retransmits. Also encryption alert packages. 
 

I suspect something with the tcp stack of the netscaler.