Vinay Menon1709155290 Posted August 13, 2015 Share Posted August 13, 2015 Hi Folks, I'm migrating a customer's internal websites from KEMP to the NetScalers. The objective being to securely reverse proxy all the internal websites externally with AAA authentication. Scenario: Customer wishes to use NetScaler AAA Form for client-side authentication, which should then SSO to a back-end server that only supports integrated authentication. Now I can only get this to work by design, using 401 based AAA. Doesn't work when I change the AAA Virtual Server to Forms-based(as expected). Are there any work-around's for this as the KEMP's do have a feature called Custom Authentication Forms which allows to you to define client-side and server side authentication. https://support.kemptechnologies.com/hc/en-us/articles/203126599-Custom-Authentication-Form Surely, if the KEMP's can do it out of the box - there should be way for the NetScaler's too? Shouldn't it? :) cheers Vinay Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 13, 2015 Share Posted August 13, 2015 You configure AAA auth normally. Then you configure Traffic Policies to perform SSO to the web applications. Maybe you're missing Traffic Policies? Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 13, 2015 Share Posted August 13, 2015 Is the web app expecting Kerberos? If so then you'll need to configure KCD. http://docs.citrix.com/en-us/netscaler/10-5/ns-gen-appsec-wrapper-10-con/ns-aaa-app-trafc-wrapper-con-10/ns-aaa-config-protocols-con/ns-aaa-config-protocols-krb5-ntlm-intro-con.html Link to comment Share on other sites More sharing options...
Vinay Menon1709155290 Posted August 13, 2015 Author Share Posted August 13, 2015 Thanks for getting back so quickly. It uses NTLM. So if I understood this correctly - I set up a Forms Based AAA on the LB VIP ( so that users get to redirected to NetScaler AAA page) Bind a Traffic Policy, with SSO set to ON? cheers Vinay Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 13, 2015 Share Posted August 13, 2015 That should work for Basic auth but not sure about NTLM. You can also do Kerberos Impersonation - https://netscalerrocks.com/netscaler/kerberos-sso-impersonation/ Link to comment Share on other sites More sharing options...
Anthony Hoivik1709156858 Posted May 3, 2017 Share Posted May 3, 2017 I realize I am resurrecting a fairly old thread, but were you able to get anywhere with this? I too would like to be able to use AAA Form based authentication to then pass credentials back to a website prompting for NTLM credentials. If you were access the server/website directly, you receive a 401 style authentication window, which doesn't give me a form path to populate for my "Form Action URL" in the Traffic policy. Link to comment Share on other sites More sharing options...
CarlStalhood Posted May 3, 2017 Share Posted May 3, 2017 If NTLM, I think all you need is a Session Policy with Single Sign-on to Web Applications enabled. No need for forms based auth. Link to comment Share on other sites More sharing options...
Anthony Hoivik1709156858 Posted May 10, 2017 Share Posted May 10, 2017 The idea was to front end external web applications with the familiar AAA logon form (that actually has DUO MFA on it). Doing so gives users a logon form that they are used to seeing, and reduces the exposure of the backend servers to the internet as you are redirected to AAA first before logon. Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted April 17, 2020 Share Posted April 17, 2020 I am in the same situation and found this old thread. Did you have a happy ending on this topic..? Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted April 18, 2020 Share Posted April 18, 2020 For the record I got it to work. Form-based to NTLM SSO, works with a Session Policy with SSO to Web Applications enabled, bound to to the AAA-server. I also had to adjust the SSO Attribute on the authentication server (to sAMAccountName or UserPrincipalName). Since I have multiple domains with separate authentication policys I had to use "UserPrincipalName" so it also passes the domain. In Citrix documentation it sometimes spells "UserPrincipleName" but it need to be "UserPrincipalName". Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now