NetScaler - Negotiate SSO and WAF

Reading Time: 2 minutes

Table of Contents

Overview

Recently I’ve stumbled across two identical issues in different environments.

One with 13.1 60.29 and the other with 14.1 51.72 (did the same tests with 14.1 56.71, too)

A negotiate Auth-Policy, linked to an AAA vServer for doing internal Clients SSO and external access / clients MFA, stopped working. The internal SSO isn’t working anymore and the AAA Logonpage throws Errors.

Issue

We’ve checked the classic aaad.debug and seen, the Negotiate Policy got hits, but an “Anonymous” User is logged and not going further to LDAPS Group Extraction.

We’ve checked the Kerberos Tickets on the Client with “klist” and there’s a correct looking Ticket for the http/aaa.customer.com URL. I reproduced the issue in my LAB:

With 14.1 you see a non-responding AAA Loginpage – showing no Logonbox and the browser’s cursor keeps loading:

So it looks like NetScaler / AAA engine isn’t able to use that ticket for processing further?!

We’ve checked ns.log and this one got our attention:

ns-aaa-default-appfw-profile Parameter value incorrect as per API Spec: (ns-aaa-spec) for Endpoint: (POST https://aaa.customer.com/nf/auth/doNegotiate.do?context=XXXXX) <blocked>

Got it! So the inbuilt WAF with the Profile ns-aaa-default-appfw-profile for “Auth” blocked our /nf/auth/doNegotiate.do

Here’s also the matching Screenshot of NetScaler Console, Security Violations:

Typically my NetScaler setups look like that, WAF is custom, everything enabled (because “Default” mostly means OFF):

Yes, I’m mostly using the integrated WAF configured for “Auth and VPN” (13.1 setting) and it was working fine the last months. As soon as we disabled WAF or just setting it to “VPN / Portal” – the issue immediately was gone and Negotiate was working fine with SSO.

For the moment, I’ve added a relaxation rule for REST API Schema Validation at the ns-aaa-default-appfw-profile WAF-Profile:

bind appfw profile ns-aaa-default-appfw-profile -restValidation "POST:/nf/auth/doNegotiate.do"

So I don’t have to disable WAF for Auth completely. There’s a support case active and I will update that post if I’m getting a better recommendation from NetScaler Support.

Summary

At the moment, I’m unsure on which Firmware that issue jumps in or if it’s always been there, since the existence of Bulitin-WAF with ns-aaa-default-appfw-profile Profile.

Post Views: 50

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

NetScaler – Negotiate SSO and WAF

Overview

Issue

Summary

Leave a Reply Cancel reply