NetScaler AAA Form ->SSO->Integrated Auth

[Vinay Menon1709155290]

Hi Folks,

 

I'm migrating a customer's internal websites from KEMP to the NetScalers. The objective being to securely reverse proxy all the internal websites externally with AAA authentication.

 

Scenario:

Customer wishes to use NetScaler AAA Form for client-side authentication, which should then SSO to a back-end server that only supports integrated authentication.

 

Now I can only get this to work by design, using 401 based AAA. Doesn't work when I change the AAA Virtual Server to Forms-based(as expected).

 

Are there any work-around's for this as the KEMP's do have a feature called Custom Authentication Forms which allows to you to define client-side and server side authentication.

 

https://support.kemptechnologies.com/hc/en-us/articles/203126599-Custom-Authentication-Form

 

Surely, if the KEMP's can do it out of the box - there should be way for the NetScaler's too? Shouldn't it?  :)

 

cheers

Vinay

[CarlStalhood]

You configure AAA auth normally. Then you configure Traffic Policies to perform SSO to the web applications. Maybe you're missing Traffic Policies?

[CarlStalhood]

Is the web app expecting Kerberos? If so then you'll need to configure KCD. http://docs.citrix.com/en-us/netscaler/10-5/ns-gen-appsec-wrapper-10-con/ns-aaa-app-trafc-wrapper-con-10/ns-aaa-config-protocols-con/ns-aaa-config-protocols-krb5-ntlm-intro-con.html

[Vinay Menon1709155290]

Thanks for getting back so quickly. It uses NTLM.

 

So if I understood this correctly -

 

• I set up a Forms Based AAA on the LB VIP ( so that users get to redirected to NetScaler AAA page)
• Bind a Traffic Policy, with SSO set to ON?

 

cheers

Vinay

[CarlStalhood]

That should work for Basic auth but not sure about NTLM.

 

You can also do Kerberos Impersonation - https://netscalerrocks.com/netscaler/kerberos-sso-impersonation/

[Anthony Hoivik1709156858]

I realize I am resurrecting a fairly old thread, but were you able to get anywhere with this?

 

I too would like to be able to use  AAA Form based authentication to then pass credentials back to a website prompting for NTLM credentials.

 

If you were access the server/website directly, you receive a 401 style authentication window, which doesn't give me a form path to populate for my "Form Action URL" in the Traffic policy.

[CarlStalhood]

If NTLM, I think all you need is a Session Policy with Single Sign-on to Web Applications enabled. No need for forms based auth.

[Anthony Hoivik1709156858]

The idea was to front end external web applications with the familiar AAA logon form (that actually has DUO MFA on it). Doing so gives users a logon form that they are used to seeing, and reduces the exposure of the backend servers to the internet as you are redirected to AAA first before logon.

[Tonny Andersson1709158460]

I am in the same situation and found this old thread.  Did you have a happy ending on this topic..?

[Tonny Andersson1709158460]

For the record I got it to work.

Form-based to NTLM SSO, works with a Session Policy with SSO to Web Applications enabled, bound to to the AAA-server.

 

I also had to adjust the SSO Attribute on the authentication server (to sAMAccountName or UserPrincipalName).

 

Since I have multiple domains with separate authentication policys I had to use "UserPrincipalName" so it also passes the domain. In Citrix documentation it sometimes spells "UserPrincipleName" but it need to be "UserPrincipalName".