Kerberos, which started off as an MIT project, has grown in popularity to the point that it is now the default choice for enterprise authentication in a domain-based environment. It is considered to be fast (especially given the ability to cache and reuse tickets) and secure from a credential handling perspective, given that the User does not need to send the password over the network to authenticate. It is also open in a real sense, so as long as you can put the necessary keytabs (think of it as a key) in place, you can have a mixed Windows and Linux environment authenticating in perfect harmony.
Kerberos is a complex protocol (especially when you come across it for the first time), so to take this step by step, we will take a quick look at the components that need to be in place, and the flow, before looking at troubleshooting and a quick configuration checklist. This will give us a good base before we dive into the communication flow.
Kerberos authentication in the context of NetScaler involves the following three parties:
- The users/clients
- The KDC (Key Distribution Center) which has two subcomponents:
- Authentication Service (AS) that looks for the User and returns a Ticket Granting Ticket, which you can in turn use to get session tickets.
- Ticket Granting Service (TGS) that provides those session tickets
- The NetScaler AAA vServer that authenticates the users, talks to the KDC, and obtains tickets on behalf of the users.
Kerberos uses TCP port 88.