in NetScaler, Security

Kerberos SSO by impersonation

Kerberos is complicated, but you should not over-complicate it. Kerberos Deligation in most use-cases is not needed. Instead you can configure Kerberos Impersonation in just 2 steps..

When you configure a AAA Vserver, by default the netscaler will try to do NTLM (worst case basic) authentication for the end user towards the backend server. If Kerberos authentication is needed towards the backend servers, just create a “dummy” KCD account, with the upn-realm for the user.

bind this account to the AAA-SessionAction..

Make sure the NetScaler has an NTP server running, time is critical.

Make sure the NetScaler can resolve the upn-realm using DNS…

Make sure you configure your server objects DNS based (avoid using ip addresses)

it’s easier than you think..

What do you think?


  1. Hi,
    thanks for the tips. Totally on point. Avoiding using ip fixed all my problems. Valid for NS 11, too.