NetScaler Basic on-prem authentication

| | 2 min read

As promised; here’s the first one of the three real-life authentication examples. I will post the next one tomorrow and the final one the day after tomorrow.

Overview

In this use case the NetScaler acts as a load balancer (aka reverse web proxy) for the web front end servers, but also enables the authenticate, authorize and audit (AAA-TM) feature (NetScaler Docs). For the on-premises the LDAP authentication capability is used either with SSO and authorization or without.

AAA processing

This example is applicable for sessions established from the internal networks or VPN clients.

  1. User initiates a connection to https://service.my.domain/production/prod-system.html (if needed, the NetScaler can redirect user from the root path to the proper URL path)
  2. As the session was unauthenticated, the NetScaler AAA-TM redirects the user to the NetScaler authentication form page /logon/LogonPoint/tmindex.html (in this example a shared host name is used for the authentication services)
  3. The browser requests /logon/LogonPoint/tmindex.html
  4. Authentication form or 401 challenge is presented
  5. User enters credentials (or automatically SSO using Negotiate/Kerberos for example)
  6. After a successful authentication and LDAP bind the group membership for the user is queried
  7. A list of groups is collected from LDAP
  8. Successful authentication adds the authentication cookie (NSC_AAAC) for the user session and redirects the session back to the original URL
  9. The original URL is requested with the authentication cookie
  10. The load balancing vServer proxies the traffic to the web front (optionally checks for AD group-based authorization), SSO is possible with the given credentials or configuring the NetScaler AAA as an IdP (for SAML or OIC/OAuth2)
  11. A session is established from the NetScaler to the backend
  12. An authenticated (and optionally authorized) session is established

Summary

This answers to the questions discussed in earlier posts Security basics, part 2 – Who? and Security basics, part 3 – Where?. It all comes down to a common thread, but a bit more technical angle this time.

Followup

Next one is out tomorrow

In the next post we’ll discuss publishing a resource to the internet and authenticating it using Microsoft Entra ID (or similar).

A real head scratcher?

Would you find this useful in your environment?

Don’t hesitate to contact me, the address is kari.ruissalo@comping.fi.

I have NetScaler key-chain after all so I must know something about this!