Jump to content
Updated Privacy Statement

Kerberos Constrained Delegation Not working


Go to solution Solved by Thomas Rens Vermeulen,

Recommended Posts

I want to use Kerberos Constrained Delegation (KCD) for our SharePoint site, sadly it is not working.
The reason to use KCD is we want to use OAUTH for the first factor, after that we need a SSO to the SharePoint site via KCD.
We are forced to use KCD because the username and password is not known on the NetScaler.

 

Followed the follwing articles:

Tutorial: Microsoft Entra single sign-on integration with Citrix ADC SAML Connector for Microsoft Entra ID (Kerberos-based authentication) - Microsoft Entra ID | Microsoft Learn

https://support.citrix.com/article/CTX236593/how-to-configure-netscaler-gateway-for-kerberos-constrained-delegation

ERROR WireShark
image.png.2e95cf42dae0e8726e9308c25cecacac.png
ERROR EVENT LOG ON DOMAIN CONTROLLER

0x6	Client not found in Kerberos database	Bad user name, or new computer/user account has not replicated to DC yet
 
 
A Kerberos service ticket was requested.
 
Account Information:
	Account Name:		appdelegation@HOSTED.LOCAL
	Account Domain:		IDENTT.WORK 
	Logon GUID:		{00000000-0000-0000-0000-000000000000}
 
Service Information:
	Service Name:		appdelegation
	Service ID:		NULL SID
 
Network Information:
	Client Address:		::ffff:NSIP
	Client Port:		35261
 
Additional Information:
	Ticket Options:		0x40800000
	Ticket Encryption Type:	0xFFFFFFFF
	Failure Code:		0x6
	Transited Services:	-

 

 

Architecture:

In this example i use the following names (real names are different):

IDENTT.WORK is the domain FQDN.
identt is the domain NetBIOS name.
appdelegation is the delegation user account na

Content Switching Server with two FQDN's:

portal.sharepoint.com
auth.sharepoint.com

-->Portal got Form Based Authentication ON and points to a AAA vServer with an oauth configuration.

After OAUTH auth has finished and is successful user will be redirected to portal.sharepoint.com.
Portal.sharepoint.com is a loadbalancing vserver with the sharepoint backend (behind the content switch).
On the loadbalancing vserver are the following policies confgured to realise the SSO via KCD:
image.thumb.png.8fa039b780a8b32a6cfc518cad21d75e.png

image.thumb.png.1647a605f79c957afce5bc9720a920e2.png

image.png.fc2d68a7165fd2a9c781173e6da6e461.png
 

AD CONFIGURATION

  • IIS is setup to use Delegation (I see the WWW-Authenticate header).
  • SPN I setup with the following command:
    • setspn -S HOST/appdelegation.IDENTT.WORK identt\appdelegation
      image.png.65716e11292a7630b4f45292499e20d1.png
    • image.png.d0ef05e98750c19c4c3e0868d3c93290.png
  • Netscaler KCDAccount:
    • image.png.1cd816d690976f87c1b819aa5b6d44b0.png

 

 

image.png

Edited by Thomas Rens Vermeulen
Link to comment
Share on other sites

Some things to add here from my side:
- Kcd account config on NS, only use the Realm and Delegated User, leave User Realm and Service SPN blank.

- Is your SharePoint Server on your LoadBalancer on NetScaler bound with FQDN or IP? Use FQDN for Kerberos to work

- SNIP is able to reach your Domain Controllers via 88 TCP and 88 UDP?

The delegation in your AD / SPN looks correct.

Link to comment
Share on other sites

1 hour ago, Petr Lenz1709156340 said:

Do you extract correct username field from OAuth authentication? The NetScaler should look for the user account in the AD during the Kerberos delegation, not the service account.

Hi, Thanks for your answer, you have a valid point here! 

But how do I extract the correct username field?
How do I pull this for my oauth claim and add it to the traffic policy?

Link to comment
Share on other sites

1 hour ago, Julian Jakob said:

Some things to add here from my side:
- Kcd account config on NS, only use the Realm and Delegated User, leave User Realm and Service SPN blank.

- Is your SharePoint Server on your LoadBalancer on NetScaler bound with FQDN or IP? Use FQDN for Kerberos to work

- SNIP is able to reach your Domain Controllers via 88 TCP and 88 UDP?

The delegation in your AD / SPN looks correct.

Thanks!

- Kcd account config on NS, only use the Realm and Delegated User, leave User Realm and Service SPN blank --> Just did, still not working.
- Is your SharePoint Server on your LoadBalancer on NetScaler bound with FQDN or IP? Use FQDN for Kerberos to work --> Indeed, saw that the NetScaler uses the ServerName to lookup SRV records in trace. I just added a server as FQDN. 
- SNIP is able to reach your Domain Controllers via 88 TCP and 88 UDP? --> Yes, this was an issue but has been resolved.

I just setup an LAB enviornment with IIS to replicate the issue.

IIS has Negotiate and NTLM on, for Domain Joined machines SSO is working to IIS.
I setup an LB Vserver with IIS behind it. Also I setup a AAA vServer with Basic local authentication (AAA User made on the NetScaler).
I Bound an Session Policy with the AAA Vserver with SSO ON and the KCD Account. I get a different result back from IIS:
 

Not Authorized

HTTP Error 401. The requested resource requires user authentication.

 

The Kerberos Part seems to be working. Is this because im not impersonating the AAA User? Any Idea how I can configure this?
I manually created did a TGT and worked:

root@netscaler14# nskrb kinit --password=<pass> svc_KDC@ITPROOF.LOCAL
root@netscaler14# nskrb klist -c /tmp/krb5cc_0
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: svc_KDC@ITPROOF.LOCAL

  Issued                Expires               Principal
Apr 23 11:53:28 2024  Apr 23 21:53:28 2024  krbtgt/ITPROOF.LOCAL@ITPROOF.LOCAL

root@netscaler14# nskrb kgetcred -c /tmp/krb5cc_0 http/dc01.ITPROOF.LOCAL@ITPROOF.LOCAL
root@netscaler14# nskrb klist -c /tmp/krb5cc_0

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: svc_KDC@ITPROOF.LOCAL

  Issued                Expires               Principal
Apr 23 11:53:28 2024  Apr 23 21:53:28 2024  krbtgt/ITPROOF.LOCAL@ITPROOF.LOCAL
Apr 23 11:54:10 2024  Apr 23 21:53:28 2024  http/dc01.ITPROOF.LOCAL@ITPROOF.LOCAL

root@netscaler14# nskrb kgetcred -c /tmp/krb5cc_0 --out-cache=/tmp/imper_cache --impersonate=thomas@ITPROOF.LOCAL svc_KDC@ITPROOF.LOCAL
root@netscaler14# nskrb klist -c /tmp/imper_cache

Credentials cache: FILE:/tmp/imper_cache
        Principal: thomas@ITPROOF.LOCAL

  Issued                Expires               Principal
Apr 23 11:56:25 2024  Apr 23 21:53:28 2024  svc_KDC@ITPROOF.LOCAL

root@netscaler14# /netscaler/nskrb kgetcred --delegation-credential-cache=/tmp/imper_cache --out-cache=/tmp/kcd_cache http/dc01.itproof.local
root@netscaler14# nskrb klist

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: svc_KDC@ITPROOF.LOCAL

  Issued                Expires               Principal
Apr 23 11:53:28 2024  Apr 23 21:53:28 2024  krbtgt/ITPROOF.LOCAL@ITPROOF.LOCAL
Apr 23 11:54:10 2024  Apr 23 21:53:28 2024  http/dc01.ITPROOF.LOCAL@ITPROOF.LOCAL


ITPROOF.LOCAL
http/dc01.ITPROOF.LOCAL@ITPROOF.LOCAL


CONFIG TEST LAB:
KCDACCOUNT

image.png.8e271482719014fa6bb792b09029803a.png
LB VServer AAA Vserver binding
image.thumb.png.095546b64ac6385d4bd459800d626fe7.png
SERVER (added with fqdn)

image.png.56ed6a45e529fb922cdf63437e0125ff.png

Session Policy Bound with the AAA Vserver
image.thumb.png.fc37fed5d0a301b325c50c8e927da92f.png

Link to comment
Share on other sites

On 4/23/2024 at 12:35 PM, Thomas Rens Vermeulen said:

Hi, Thanks for your answer, you have a valid point here! 

But how do I extract the correct username field?
How do I pull this for my oauth claim and add it to the traffic policy?

Can you share some informations about the OAuth config? Is NetScaler OAuth SP and Entra ID (or another IdP?) is your IdP? If so, in the OAuth Action there is a User Name Field where you can use preferred_username which is the logon-name the User is typing into Entra ID which gets send to NetScaler


image.png.c7c5da751a3cd2dee45f6a5f08adda8e.png

Link to comment
Share on other sites

Made a trace, one trace from the netscaler where KCD is not working and one from a domain joined machine which is working.

Netscaler uses:
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)


domain joined machine uses:
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)

 

Could this be the issue?

 

NOTWORKING NETSCALER TRACE

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: portal.itproof.local\r\n
    Connection: keep-alive\r\n
    Upgrade-Insecure-Requests: 1\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n
    Sec-Fetch-Site: cross-site\r\n
    Sec-Fetch-Mode: navigate\r\n
    Sec-Fetch-User: ?1\r\n
    Sec-Fetch-Dest: document\r\n
    sec-ch-ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"\r\n
    sec-ch-ua-mobile: ?0\r\n
    sec-ch-ua-platform: "Windows"\r\n
    Accept-Encoding: gzip, deflate, br, zstd\r\n
    Accept-Language: nl-NL,nl;q=0.9\r\n
     [truncated]Authorization:       Negotiate YIIG+AYGKwYBBQUCoIIG7DCCBuigMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBrIEggauYIIGqgYJKoZIhvcSAQICAQBuggaZMIIGlaADAgEFoQMCAQ6iBwMFAAAAAACjggWEYYIFgDCCBXygAwIBBaEPGw1JVFB
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 4 items
                        MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                        MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken: 608206aa06092a864886f71201020201006e82069930820695a003020105a10302010ea2…
                    krb5_blob: 608206aa06092a864886f71201020201006e82069930820695a003020105a10302010ea2…
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_AP_REQ (0x0001)
                        Kerberos
                            ap-req
                                pvno: 5
                                msg-type: krb-ap-req (14)
                                Padding: 0
                                ap-options: 00000000
                                ticket
                                    tkt-vno: 5
                                    realm: ITPROOF.LOCAL
                                    sname
                                        name-type: kRB5-NT-PRINCIPAL (1)
                                        sname-string: 2 items
                                            SNameString: HTTP
                                            SNameString: ddc01.itproof.local
                                    enc-part
                                        etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                        kvno: 2
                                        cipher: 3759354f9abd9821da3bfadcd3f54a08f64ac7eb35afab7d7499bd783209de9297b4397c…
                                authenticator
                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                    cipher: 7414248740c43489f52e4e8875acb07bd3b689acebab28cf830f164fd3e4e69ff01ef2ae…
    \r\n
response:
Hypertext Transfer Protocol
    HTTP/1.1 401 Unauthorized\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 401 Unauthorized\r\n]
            [HTTP/1.1 401 Unauthorized\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 401
        [Status Code Description: Unauthorized]
        Response Phrase: Unauthorized
    Content-Type: text/html\r\n
    Server: Microsoft-IIS/10.0\r\n
    WWW-Authenticate: Negotiate oYGOMIGLoAMKAQGhCwYJKoZIgvcSAQIConcEdWBzBgkqhkiG9xIBAgIDAH5kMGKgAwIBBaEDAgEepBEYDzIwMjQwNDI4MTIyMzAzWqUFAgMFEFqmAwIBPKkPGw1JVFBST09GLkxPQ0FMqhMwEaADAgEBoQowCBsGRERDMDEkrBEEDzANoQMCAQGiBgQEagAAwA==\r\n
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: accept-incomplete (1)
                    supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                    responseToken: 607306092a864886f71201020203007e643062a003020105a10302011ea411180f323032…
                    krb5_blob: 607306092a864886f71201020203007e643062a003020105a10302011ea411180f323032…
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_ERROR (0x0003)
                        Kerberos
                            krb-error
                                pvno: 5
                                msg-type: krb-error (30)
                                stime: Apr 28, 2024 14:23:03.000000000 West-Europa (zomertijd)
                                susec: 331866
                                error-code: eRR-GENERIC (60)
                                realm: ITPROOF.LOCAL
                                sname
                                    name-type: kRB5-NT-PRINCIPAL (1)
                                    sname-string: 1 item
                                        SNameString: DDC01$
                                e-data: 300da103020101a20604046a0000c0
    WWW-Authenticate: NTLM\r\n
    Date: Sun, 28 Apr 2024 12:23:03 GMT\r\n
    Content-Length: 1293\r\n
        [Content length: 1293]
    \r\n
    [HTTP response 2/2]
    [Time since request: 0.172883393 seconds]
    [Prev request in frame: 6046]
    [Prev response in frame: 6096]
    [Request in frame: 6099]
    [Request URI: http://portal.itproof.local/]
    File Data: 1293 bytes
Line-based text data: text/html (29 lines)
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r\n
    <html xmlns="http://www.w3.org/1999/xhtml">\r\n
    <head>\r\n
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>\r\n
    <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>\r\n
    <style type="text/css">\r\n
    <!--\r\n
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\n
    fieldset{padding:0 15px 10px 15px;} \r\n
    h1{font-size:2.4em;margin:0;color:#FFF;}\r\n
    h2{font-size:1.7em;margin:0;color:#CC0000;} \r\n
    h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n
    #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;\r\n
    background-color:#555555;}\r\n
    #content{margin:0 0 0 2%;position:relative;}\r\n
    .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n
    -->\r\n
    </style>\r\n
    </head>\r\n
    <body>\r\n
    <div id="header"><h1>Server Error</h1></div>\r\n
    <div id="content">\r\n
     <div class="content-container"><fieldset>\r\n
      <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>\r\n
      <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>\r\n
     </fieldset></div>\r\n
    </div>\r\n
    </body>\r\n
    </html>\r\n

WORKING WORKSTATION TRACE

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: ddc01.itproof.local\r\n
    Connection: keep-alive\r\n
     [truncated]Authorization: Negotiate YIIHYQYGKwYBBQUCoIIHVTCCB1GgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBxsEggcXYIIHEwYJKoZIhvcSAQICAQBuggcCMIIG/qADAgEFoQMCAQ6iBwMFACAAAACjggUyYYIFLjCCBSqgAwIBBaEPGw1JVFBST09GLk
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 4 items
                        MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                        MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken [truncated]: 6082071306092a864886f71201020201006e820702308206fea003020105a10302010ea20703050020000000a38205326182052e3082052aa003020105a10f1b0d495450524f4f462e4c4f43414ca2263024a003020102a11d301b1b04485454501b1364646330312e697470
                    krb5_blob [truncated]: 6082071306092a864886f71201020201006e820702308206fea003020105a10302010ea20703050020000000a38205326182052e3082052aa003020105a10f1b0d495450524f4f462e4c4f43414ca2263024a003020102a11d301b1b04485454501b1364646330312e697470
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_AP_REQ (0x0001)
                        Kerberos
                            ap-req
                                pvno: 5
                                msg-type: krb-ap-req (14)
                                Padding: 0
                                ap-options: 20000000
                                    0... .... = reserved: False
                                    .0.. .... = use-session-key: False
                                    ..1. .... = mutual-required: True
                                ticket
                                    tkt-vno: 5
                                    realm: ITPROOF.LOCAL
                                    sname
                                        name-type: kRB5-NT-SRV-INST (2)
                                        sname-string: 2 items
                                            SNameString: HTTP
                                            SNameString: ddc01.itproof.local
                                    enc-part
                                        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                        kvno: 2
                                        cipher [truncated]: acf43e83a4f93fd8a7550332360204ee878fe4f89482b9e96fae934bd8d7f0eb2cb80dea11d0c0e3749ddc7e168fdbd815f5d5d8c1892228dc1ab38ee0ccf5d6c5952f8373d14d05c453e419e634afc884190b0a3e1f64e3ff71d3165a5e54056be5ec6d0a41e7f511bd9267ed7
                                authenticator
                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                    cipher [truncated]: d0d3e979dcb915452e7f597ad1ba9538a5d5c97fac091162449fc85bd588f8f6cec15bb431ac382aa03dc277045c489dd162367b27339534d75362a93e19893857817fcf4b31ed3d7cd1f4a9ef00f2f77add8b42c2b516ca85534e08d372f6a7eaab2c1642c2ca5cd933d93e263
    Upgrade-Insecure-Requests: 1\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n
    Accept-Encoding: gzip, deflate\r\n
    Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7\r\n
    If-None-Match: "a37faf915e99da1:0"\r\n
    If-Modified-Since: Sun, 28 Apr 2024 11:24:01 GMT\r\n
    \r\n
response
Hypertext Transfer Protocol
    HTTP/1.1 304 Not Modified\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 304 Not Modified\r\n]
            [HTTP/1.1 304 Not Modified\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 304
        [Status Code Description: Not Modified]
        Response Phrase: Not Modified
    Accept-Ranges: bytes\r\n
    ETag: "a37faf915e99da1:0"\r\n
    Server: Microsoft-IIS/10.0\r\n
     [truncated]WWW-Authenticate: Negotiate oYG2MIGzoAMKAQChCwYJKoZIgvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARu2LTvAi0Wv6yLPJ5oPvYLKj99RolXw39gLYrTZmHTj5O1YRwbs5pJKoiMXsMOYnmXUk/ho3Avw4U6+X7R5yVAhQ94rX2aFhk9NjW
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: accept-completed (0)
                    supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                    responseToken [truncated]: 60819806092a864886f71201020202006f8188308185a003020105a10302010fa2793077a003020112a270046ed8b4ef022d16bfac8b3c9e683ef60b2a3f7d468957c37f602d8ad36661d38f93b5611c1bb39a492a888c5ec30e627997524fe1a3702fc3853af97ed1e7
                    krb5_blob [truncated]: 60819806092a864886f71201020202006f8188308185a003020105a10302010fa2793077a003020112a270046ed8b4ef022d16bfac8b3c9e683ef60b2a3f7d468957c37f602d8ad36661d38f93b5611c1bb39a492a888c5ec30e627997524fe1a3702fc3853af97ed1e72540
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_AP_REP (0x0002)
                        Kerberos
                            ap-rep
                                pvno: 5
                                msg-type: krb-ap-rep (15)
                                enc-part
                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                    cipher: d8b4ef022d16bfac8b3c9e683ef60b2a3f7d468957c37f602d8ad36661d38f93b5611c1bb39a492a888c5ec30e627997524fe1a3702fc3853af97ed1e72540850f78ad7d9a16193d3635b2a9e9ebfc1b6c20f62e800a6ff9c52b7c9a7558ee746a9cb5b63b8c35f6d5df89b236d3
    Persistent-Auth: true\r\n
    Date: Sun, 28 Apr 2024 12:25:47 GMT\r\n
    \r\n
    [HTTP response 2/4]
    [Time since request: 0.171066000 seconds]
    [Prev request in frame: 236]
    [Prev response in frame: 256]
    [Request in frame: 261]
    [Next request in frame: 313]
    [Next response in frame: 343]
    [Request URI: http://ddc01.itproof.local/]

 

Link to comment
Share on other sites

Posted (edited)

Below are all the settings

Windows AD Settings:

setspn -l itproof\kcduser
Registered ServicePrincipalNames for CN=kcduser kcduser,OU=Users,OU=ITProof,DC=itproof,DC=local:
        http/portal.itproof.local

image.png.1d665007fcc5ee4212f01114f19789c3.png

dc01.itproof.local is the IIS Server, this is also the domain controller.

DNS Record:

image.png.d865e9b09cbba880c6298c2a2c518f9a.png

This points to the LB VServer

IIS Config:

image.png.c12917203b34ee3785a9c249ff079944.png

image.png.cc5da6be6cbfacec6160bf03f82479b8.png

The rest of the settings are default.

Netscaler settings:

#NS14.1 Build 8.50
# Last modified Mon Apr 29 18:48:08 2024
add aaa kcdAccount kcduser -realmStr ITPROOF.LOCAL -delegatedUser kcduser -kcdPassword xxx -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2023_11_10_23_37_02
add server dc01.itproof.local dc01.itproof.local
add serviceGroup lb_sg_iis HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add aaa user thomas -password xxx -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2023_11_10_23_37_02
add authentication authnProfile prof_auth -authnVsName aaa_vsrv -AuthenticationHost auth.itproof.local -AuthenticationDomain itproof.local -AuthenticationLevel 10
add tm trafficAction prof_kcd -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount kcduser
add authentication localPolicy pol_auth_local ns_true
add authorization policy auth_allow_all true ALLOW
add tm trafficPolicy pol_traffic_kcd true prof_kcd
add lb vserver lb_vs_iis_new_new SSL 192.168.5.172 443 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile prof_auth -redirectFromPort 80 -httpsRedirectUrl "https://portal.itproof.local"
set cache parameter -via "NS-CACHE-10.0: 250"
add authentication vserver aaa_vsrv SSL 192.168.5.171 443
set aaa parameter -maxAAAUsers 1000
bind lb vserver lb_vs_iis_new_new lb_sg_iis
bind lb vserver lb_vs_iis_new_new -policyName pol_traffic_kcd -priority 100 -gotoPriorityExpression END -type REQUEST
add dns nameServer 172.16.1.4
add dns nameServer 172.16.1.4 -type TCP
bind serviceGroup lb_sg_iis dc01.itproof.local 80
bind aaa user thomas -policy auth_allow_all -priority 100 -gotoPriorityExpression END

WireShark:

image.thumb.png.a769805ec4d339982b816281977be05b.png

full trace is in appendix.

Keberos Errors seen in trace:

    HTTP/1.1 401 Unauthorized\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 401 Unauthorized\r\n]
            [HTTP/1.1 401 Unauthorized\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 401
        [Status Code Description: Unauthorized]
        Response Phrase: Unauthorized
    Content-Type: text/html; charset=us-ascii\r\n
    Server: Microsoft-HTTPAPI/2.0\r\n
    WWW-Authenticate: Negotiate oYGNMIGKoAMKAQGhCwYJKoZIgvcSAQIConYEdGByBgkqhkiG9xIBAgIDAH5jMGGgAwIBBaEDAgEepBEYDzIwMjQwNDI5MDgzMTQ1WqUFAgMNceWmAwIBPKkPGw1JVFBST09GLkxPQ0FMqhIwEKADAgEBoQkwBxsFZGMwMSSsEQQPMA2hAwIBAaIGBAQzAQDA\r\n
        GSS-API Generic Security Service Application Program Interface
            Simple Protected Negotiation
                negTokenTarg
                    negResult: accept-incomplete (1)
                    supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                    responseToken: 607206092a864886f71201020203007e633061a003020105a10302011ea411180f323032…
                    krb5_blob: 607206092a864886f71201020203007e633061a003020105a10302011ea411180f323032…
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_ERROR (0x0003)
                        Kerberos
                            krb-error
                                pvno: 5
                                msg-type: krb-error (30)
                                stime: Apr 29, 2024 10:31:45.000000000 West-Europa (zomertijd)
                                susec: 881125
                                error-code: eRR-GENERIC (60)
                                realm: ITPROOF.LOCAL
                                sname
                                    name-type: kRB5-NT-PRINCIPAL (1)
                                    sname-string: 1 item
                                        SNameString: dc01$
                                e-data: 300da103020101a2060404330100c0



 

nstrace1 (9).cap

Edited by Thomas Rens Vermeulen
Link to comment
Share on other sites

  • Solution

Fixed the problem,

  • I setup my timezone, did a reboot; time was still displayed wrong CEST +2
  • image.png.bd17f974aa02fd5ed3cc9f50233d4e9e.png
  •  
  • I set the NTP Server as preferred NTP Server and Synced --> time was still displaying worng CEST +2
  • Followed the following article:

image.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...