What we've discovered is the NS is trying to authenticate to the WI with some account name like @@67832ghj675uys8 when it should be passing through the primary alternate name from the card that was used to authenticate with the NS, which is something like 1534267288@mil which is how the active users are displayed in the NS as well. So the NS is seeing the username correctly, but somewhere between the NS and the WI the username is getting mauled.
Is it possible to have the Netscaler handle the authentication with the smart card and then just treat WI the normal way, i.e. pass through the AD credentials??
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Steve Snyder
Sent: Thursday, January 08, 2009 2:14 PM
Correct, although we were hoping that pass-through would work. I'm pretty sure we tried both ways for the WI (pass-through and not-pass-through) and both ways it (the WI) keeps prompting for credentials.
On Fri, Jan 9, 2009 at 8:57 AM, Steve Greenberg <steveg@thinclient.net> wrote:
Just to be clear, you do not have the Netscaler handling authentication for the WI? Is that correct? I.e. you login in to the SSL VPN and then you login with your smart card to the WI??
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85266
(602) 432-8649
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Steve Snyder
Sent: Thursday, January 08, 2009 1:43 PM
To: thin@freelists.org
Subject: [THIN] Re: netscalers and smartcards (CAC) - who's using them?
I.m perusing it and trying to compare - the interface is quite different for 8.1
The on diff I so see is the Configure Auth Server - they had me enter SubjectAltName:PrincipalName in the user field and left the group field blank
I don't know if that's something that will vary with CACs/certs, but it's worth a try.On Thu, Jan 8, 2009 at 4:03 PM, <peter_dibbens@yahoo.co.uk> wrote:
Hi,
Have you seen this article http://support.citrix.com/article/ctx116373.
I can vouch that the certificates components work as expected. You must also configure all the prerequisites for WI Pass-through.
Thanks Pete
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Steve Snyder
Sent: Thursday, 8 January 2009 10:40 AM
To: thin@freelists.org
Subject: [THIN] netscalers and smartcards (CAC) - who's using them?
and what did you have to do to get the WI to come up properly?
We're trialing a NS 8.1 in our DMZ - the VPN tunnel connects and it starts to load the WI site but the smartcard (CAC) authentication just doesn't fly. Citrix is scratching their heads.
No comments:
Post a Comment