Jump to content


Photo

multiple LDAP Authentication Servers on different Broadcast Domain / Subnet

Started by kpauli , 21 April 2017 - 01:49 PM
5 replies to this topic

kpauli Members

Kai Pauli
  • 23 posts

Posted 21 April 2017 - 01:49 PM

Hello Volks,

 

iam trying to realize multi Domain Authentication on Netscaler Gateway (NS 11.1 Built 53.11) where the Domain Controllers are based on three different Subnet.

 

The Netscaler (based in the DMZ) have three Routes configured with the Gateway which NATs the IP Adresses to the different Storefronts in the different Subnets.

 

All Credentials are correct, but Netscaler shows always the first Authentication Server is up. The other ones are marked with "Down. Invalid Admin Bind Credentials"

 

Does anybody have an idea what this can be caused by?

 

Rgds

 

Attached Thumbnails

  • Auth_SRV.JPG
  • Routes.JPG


kpauli Members

Kai Pauli
  • 23 posts

Posted 21 April 2017 - 01:56 PM

Testscenario: Telnet from Netscaler to the "natted" IP Address of the Domain Controller and back the the Netscaler are successfully. Also successful is the "ldapsearch command on the NS CLI. I can connect via

 

"ldapsearch -b "DC=domain,DC=local" -D "administrator@domain.local" -h 192.168.1.1 -p 389 -w "password" "

 

i can successfully connect to the Servers with the credentials, but not from the GUI...

 

Testlogin on the Netscaler Gateway is only possible with Credentials from the first Authentication Server which is marked as green.



Carl Stalhood CTP Member

Carl Stalhood
  • 12,351 posts

Posted 21 April 2017 - 02:01 PM

Special characters in the password?

 

If you're not locally load balancing LDAP, then NSIP is the source IP. You can run nstcpdump.sh port 389 to see the packets.



kpauli Members

Kai Pauli
  • 23 posts

Posted 22 April 2017 - 01:43 PM

the logs shows that the NS connects booth DCs, when i connect with the User Credentials.

 

But login is not possible.

 

15:38:35.653991 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [S], seq 2483829000, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 70858810 ecr 0], length 0
15:38:35.654001 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [S], seq 2483829000, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 70858810 ecr 0], length 0
15:38:35.655488 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [S.], seq 2503061709, ack 2483829001, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 9817962 ecr 70858810], length 0
15:38:35.655490 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [S.], seq 2503061709, ack 2483829001, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 9817962 ecr 70858810], length 0
15:38:35.655988 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [.], ack 1, win 8326, options [nop,nop,TS val 70858812 ecr 9817962], length 0
15:38:35.655990 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 70858812 ecr 9817962], length 50
15:38:35.655990 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [.], ack 1, win 8326, options [nop,nop,TS val 70858812 ecr 9817962], length 0
15:38:35.655991 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 70858812 ecr 9817962], length 50
15:38:35.659488 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [P.], ack 51, win 260, options [nop,nop,TS val 9817962 ecr 70858812], length 22
15:38:35.659490 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [P.], ack 51, win 260, options [nop,nop,TS val 9817962 ecr 70858812], length 22
15:38:35.659988 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 23, win 8326, options [nop,nop,TS val 70858816 ecr 9817962], length 184
15:38:35.659989 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 23, win 8326, options [nop,nop,TS val 70858816 ecr 9817962], length 184
15:38:35.661478 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [P.], ack 235, win 259, options [nop,nop,TS val 9817962 ecr 70858816], length 276
15:38:35.661480 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [P.], ack 235, win 259, options [nop,nop,TS val 9817962 ecr 70858816], length 276
15:38:35.661989 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [S], seq 3275954142, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 70858818 ecr 0], length 0
15:38:35.661996 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 299, win 8326, options [nop,nop,TS val 70858818 ecr 9817962], length 7
15:38:35.661996 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [F.], seq 242, ack 299, win 8326, options [nop,nop,TS val 70858818 ecr 9817962], length 0
15:38:35.662008 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [S], seq 3275954142, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 70858818 ecr 0], length 0
15:38:35.662008 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [P.], ack 299, win 8326, options [nop,nop,TS val 70858818 ecr 9817962], length 7
15:38:35.662009 IP 172.16.0.110.30054 > 192.168.1.1.389: Flags [F.], seq 242, ack 299, win 8326, options [nop,nop,TS val 70858818 ecr 9817962], length 0
15:38:35.662979 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [S.], seq 1819319321, ack 3275954143, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 9817963 ecr 70858818], length 0
15:38:35.662981 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [.], ack 243, win 259, options [nop,nop,TS val 9817963 ecr 70858818], length 0
15:38:35.662981 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [R.], seq 299, ack 243, win 0, length 0
15:38:35.662984 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [S.], seq 1819319321, ack 3275954143, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 9817963 ecr 70858818], length 0
15:38:35.662984 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [.], ack 243, win 259, options [nop,nop,TS val 9817963 ecr 70858818], length 0
15:38:35.662984 IP 192.168.1.1.389 > 172.16.0.110.30054: Flags [R.], seq 299, ack 243, win 0, length 0
15:38:35.663477 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [.], ack 1, win 8326, options [nop,nop,TS val 70858820 ecr 9817963], length 0
15:38:35.663478 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 70858820 ecr 9817963], length 50
15:38:35.663479 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [.], ack 1, win 8326, options [nop,nop,TS val 70858820 ecr 9817963], length 0
15:38:35.663479 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 70858820 ecr 9817963], length 50
15:38:35.666989 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [P.], ack 51, win 260, options [nop,nop,TS val 9817963 ecr 70858820], length 110
15:38:35.666990 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [P.], ack 51, win 260, options [nop,nop,TS val 9817963 ecr 70858820], length 110
15:38:35.667524 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [P.], ack 111, win 8326, options [nop,nop,TS val 70858824 ecr 9817963], length 7
15:38:35.667525 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [F.], seq 58, ack 111, win 8326, options [nop,nop,TS val 70858824 ecr 9817963], length 0
15:38:35.667529 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [P.], ack 111, win 8326, options [nop,nop,TS val 70858824 ecr 9817963], length 7
15:38:35.667529 IP 172.16.0.110.48606 > 192.168.3.1.389: Flags [F.], seq 58, ack 111, win 8326, options [nop,nop,TS val 70858824 ecr 9817963], length 0
15:38:35.667991 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [.], ack 59, win 260, options [nop,nop,TS val 9817963 ecr 70858824], length 0
15:38:35.667992 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [.], ack 59, win 260, options [nop,nop,TS val 9817963 ecr 70858824], length 0
15:38:35.668481 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [R.], seq 111, ack 59, win 0, length 0
15:38:35.668483 IP 192.168.3.1.389 > 172.16.0.110.48606: Flags [R.], seq 111, ack 59, win 0, length 0

 

on the "other Settings" Page within the LDAP Server in NS, what Server Logon Name Attribute should be used here? I guess for multi-domain auth userPrincipalName is relevant.

 

Should that be also set in the SSO Name Attribute?

 

Rgds and thanks in advice!
 



kpauli Members

Kai Pauli
  • 23 posts

Posted 22 April 2017 - 07:44 PM

no special characters set in the password.

 

i noticed that the NS connects booth DC to check the User Credentials.

 

what exactly have to be set in the LDAP Auth Server Settings. i guess the issue can be there.



kpauli Members

Kai Pauli
  • 23 posts

Posted 24 April 2017 - 07:57 AM

ive isolate the Issue as a NAT Issue on a third appliance between the Citrix NS and the Microsoft DCs, 

 

so, nothing to do more here. 

 

thanks in advance Carl!

 

Rgds