Netscaler 10 Load Balanced vServe w/ AAA Double Login Prompt

I have setup a Load Balanced vserver to use AAA for authentication. When I type in the FQDN of my vserver I get the login page for the AAA server which is great. I login and then get another Windows login prompt to connect to my backend SharePoint server. After I login I can access the site without issue. I am using cookie insert with a 0 timeout value for persistent.

Any thoughts or suggestions?

CitrixNetScaler

Last Comment

compdigit44

8/22/2022 - Mon

Dirk Kotte

3/22/2015

do you see this articles?
Case Study: Using AAA Virtual Server to Remove Multiple Authentication Prompts for Web Application
http://support.citrix.com/article/CTX131684

and if you used Form Based authentication at Sharepoint:
How to Configure NetScaler Gateway for Single Sign-On to a Web Form
http://support.citrix.com/article/CTX124794

compdigit44

3/22/2015

ASKER

Thanks for the great articles. We are not using FBA and am still trying to understand the articles and trying to understand what I need to change to all the netscaler to pass the credential to the back end web server

compdigit44

3/22/2015

ASKER

It sounds like I need a traffic policy but since we are not using FBA not sure what to put in for the reference URL..

I am still learn the Netscaler so please be patient with me.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!

James Murphy

Dirk Kotte

3/22/2015

the first article don't use Form based authentication to the backend. the config example is for NTLM.
which part of the configuration a problem for you?

compdigit44

3/22/2015

ASKER

I am still learning the Netscaler so please bare with me..

In the GUI I am confused what I need to configure for the traffic policy. I tried to match up the setting with a traffic policy and profile then applied it to my load balanced vserver but it did not work

Traffic Management Policy
add tm sessionAction prof_session_sharepoint_auth -sessTimeout 10 -defaultAuthorizationAction ALLOW -SSO ON
add tm sessionPolicy vs_auth_sharepoint Netscaler_true prof_session_sharepoint_auth

The Traffic Management Policy enabled the Single Sign On feature.

compdigit44

3/22/2015

ASKER

I tried creating another session policy with the default of allow and enabled SSO... and got the same result
Now one thing is my authencating domain field I left blank on my AAA vserver. My external domain is company.com but my internal domain which user authenticate against is internal.company.com.

Thoughts????

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Dirk Kotte

3/23/2015

do you create "Authentication vServer" and bind the traffic management policy?

"bind authentication vserver vs_auth -policy vs_auth_sharepoint -priority 100"

here you have to config your internal authentication domain, not the FQDN from the webpage:
add authentication vserver vs_auth SSL 10.9.6.254 443 -AuthenticationDomain internal.company.com

sorry, would suggest to check the resulting config from CLI and add new lines from CLI also.
I am unsuccessful from GUI sometimes.

compdigit44

3/23/2015

ASKER

still a bit confused doing it via the command line... how can I do this via the GUI

ASKER CERTIFIED SOLUTION

Dirk Kotte

3/23/2015

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial