NetScaler has feature rich AAA module from many releases and works with external AAA servers. With latest 9.3 nCore release we took the AAA module to altogether different layer by adding Kerberos support. Kerberos is a well-known network authentication protocol accepted in all kind of deployments. Kerberos becomes a mechanism to authenticate a client to any service without sending password on the wire. Most of the common browsers support Kerberos and many times you get logged into various network services transparently through Kerberos. There are many benefits of using Kerberos and common one is ability to do Single Sign-on. Kerberos is used heavily in Windows environment as Windows Server has Kerberos Key Distribution Center built-in.

NetScaler implementation of Kerberos only supports Windows Server version of KDC. In case of Kerberos failure the authentication agent falls back on NTML authentication mode. Kerberos is supported over High Availability NetScaler setup and at any point in time only the Primary NetScaler is part of the logical domain. Following diagram shows how Kerberos authentication happens with authentication vserver on NetScaler.


Here are the key configuration steps to set it up:

  1. Enable AAA feature on NetScaler
  2. Keytab file on NetScaler which has entry for every service
  3. Ensure AD has the service representation
  4. Ensure client is coming from same KDC domain
  5. Configure and bind authentication policies to Auth vserver
    1. Add negotiateAction
    2. Add negotiatePolicy
    3. Create AAA-TM auth vserver
    4. Bind negotiatePolicy to auth vserver
  6. Configure and bind authorization policies to TM vserver
    1. Create backend service
    2. Create TM vserver with “authn401 ON” and “authnVsName <auth vs>”
    3. Create authorization policies as needed


Beyond this ensure that Kerberos is enabled on client side and whole setup should work fine. NetScaler also provides extensive auditing and logging for all Kerberos transactions. Everything is logged into system logs and log format does support scripting.

Think of those numerous use cases where NetScaler sitting in front of App tier can now perform Kerberos authentication as well. This feature is of high value and makes NetScaler part of typical Windows environment. More to come with next release!!!