first management server is using embeded database.
installing symantec endpoing on second server, selecting option to install additional managment server to existing site.
when I get to Database Server Authentication I have two options, SQL server authentication, and Windows Authentication.
tried windows authentication but no go, and try SQL server authentication and it fails as wellm error 11501.
notes show username for DB is DBA, and we have notes for the password, but not sure of the database name, it defautls to sem45.
how can I verify the correct database name for an embedded database on the other server.
Server name: The name this server will use.
Connection address: The IP address of this server.
Description: An optional field to describe this server.
System key: (Optional) The system key is a unique value used to secure your Secure Messaging Gateway system, that is shared across all servers. Due to its sensitive nature, it is not stored in the system database.
Typically, leave this entry blank, and an existing gwavaman program will be contacted to acquire the key during the validation step.
If the validation process cannot obtain this key from another server, you will need to access the config/system.xml file inside the Secure Messaging Gateway directory on an existing server and enter the <privatekey> entry here manually.
Please note that entering an invalid key will cause secure data to be incompatible between servers and will very likely lead to system instability.
DB server address: The address of the database server, the first Secure Messaging Gateway server or other designated postgres server.
DB name: The name of the database (default is SecureGateway).
DB user name: The username for the database (default is postgres).
DB password: The password for the database (default is postgres).
To authenticate users in VIP service, the enteprise gateway will forward the username and password to the AD/Ldap server and the security code will be forwarded to VIP services for validation.
If i wanted to only validate the security code (without username and password) using only the enterprise gateway and validation server, will this work.
What will be the configuration steps?
I’m seeing an issue with ASG policy that I haven’t come across before.
This is an explicit proxy deployment with IWA authentication, category/site based exceptions. We see that when any policy is saved, any users with active intercepted HTTPS connections are presented with browser authentication popups. Policy traces show that despite the connection being authenticated at the CONNECT command, and intercepted requests prior to the policy update being processed against the authenticated user, following the policy update the requests fail due to authentication required. The proxy does its best to authenticate by sending a HTTP status 401 (can’t do a 407 proxy auth within an existing HTTPS tunnel). We can prevent the auth popups with some policy to say “do not authenticate SSL proxy requests”, but then we need to blow a hole in our policy as we can not have any user based rules applied to HTTPS traffic.
What makes this environment a bit unusual is that we use multi-tenant policy with ‘global’ and per-tenant policy, maybe that triggers the behaviour.
But, just wanted to know if any other Knights had seen this sort of behaviour before?
By enabling Store Front authentication, NetScaler does authenticate users with StoreFront (via LDAP) instead of the NetScaler Gateway performing a LDAP query to an Active Directory server.
To configure “Two factor authentication” as RSA + Storefront Auth along with pre-filled User name in the second Factor, please follow the steps below:
Go to Advanced authentication Policies under Security –> AAA – Application traffic, create the Policy and Action Type:
- Choose Authentication Type – StoreFront Auth is Selected
- StoreFront URL – The StoreFront Server URL. This should auto-populate from the information entered in the previous screen
- Retrieve Auth Enabled Stores – This will contact the StoreFront server retrieve the authentication endpoint for the store
- Default Authentication Group – This is the default group that is chosen when the authentication succeeds in addition to extracted groups.
- Domain – Domain of the server that is used for authentication. If users enter name without domain, this parameter is added to username in the authentication request
To get, the pre-filled User name for the second factor, we need to select the appropriate Login Schema:
I am trying to configure the new Authc authentication for a Networker 9.1 env. The AD (LDAP) configuration part succeeds ,whereas the nsrlogin test fails every time, I try authenticating with an appropriate user ID and password of the configured LDAP domain. It says..
130136:nsrlogin: Please enter password:
117849:nsrlogin: Authentication library error: Unauthorized access: The username or password is incorrect
All necessary supporting packages were installed prior to the config. both the user name and the password combination is also correct.
nsr auth c version 22.214.171.124
Any help in this is much appreciated.
In the following section we are explaining the major entities involved in nFactor authentication and their significance:
nFactor decouples the ‘view’, the user interface, with the ‘model’ that is the run time handling. nFactor’s view is defined by ‘loginSchema’. LoginSchema is an entity that defines what user sees and specifies how to extract the data from user.
For defining view, loginSchema points to a file on disk that defines the logon form. This file should be according to the specification of “Citrix Common Forms Protocol”. This file is essentially an XML definition of the logon form.
In addition to the XML file, loginSchema contains advanced policy expressions to glean username and password from user’s login request. These expressions are optional, and could be omitted if username and password from user arrive with expected form variable names.
LoginSchema also defines, whether current set of credentials should be used as default SingleSignOn credentials.
A policyLabel is a collection of policies. It is a construct not alien to NetScaler’s Policy Infrastructure. PolicyLabel defines an authentication factor. That is, it contains all the policies necessary to determine whether credentials from user are satisfied. All the policies in a policyLabel can be assumed as homogenous. PolicyLabel for authentication cannot take policies of different type, say rewrite. To put in a different way, all the policies in a policylabel validate same password/credential from user, for the most part. The result of policies in a policyLabel follows logical OR condition. Hence, if the authentication specified by first policy succeeds, other policies following it are skipped.
Policylabel can be created as follows:
>add authentication policylabel mylabel –loginSchema <>
A policylabel takes loginSchema as the property. loginSchema defines the view for that policylabel. If loginschema is not given, an implicit loginschema, LSCHEMA_INT, is associated with that policylabel. LoginSchema decides whether a policylabel becomes passthrough (described below).
In NetScaler’s advanced policy infrastructure world, a virtual server is also an implicit policylabel. That’s because virtual server can also be bound with more than one policy. However, a virtual server is special because it is the entry point for client traffic and can take policies of a different types. Each of the policies it put under its own label within the virtual server. Hence, virtual server is a conglomeration of labels.
Whenever a policy is bound to a virtual server (vserver) or a policylabel, it can be specified with “nextFactor”. nextFactor determines what should be done if a given authentication succeeds. If there is no nextFactor, that concludes authentication process for that user.
Each policy bound to a vserver or policylabel can have a different nextFactor. This allows for ultimate flexibility where in every policy’s success can define a new path for user’s authentication. Administrator can take advantage of this fact and craft clever fallback factors for users who do not meet certain policies.
nFactor introduces a special kind of built-in policy called NO_AUTHN. NO_AUTHN policy always returns success as authentication result. It is created as shown below:
>add authentication policy noauthpolicy –rule <> -action NO_AUTHN
As can be seen above, no-authentication policy takes a rule that could be any advanced policy expression. Authentication result is always success from NO_AUTHN.
A no-auth policy in itself does not seem to add value. However, when used in conjunction with passthrough policylabels (described below), it offers great flexibility to make logical decisions to drive user authentication flow. NO_AUTHN policy and passthrough factors offer a new dimension to nfactor’s flexibility.
Please check example that depicts the usage of no-auth and passthrough in subsequent sections.
Once the user has passed the authentication at virtual server (for first factor), subsequent authentications happen at policylabels or user defined (secondary) factors.
Every policylabel/factor is associated with a loginSchema entity to display view for that factor. This allows for customizing views based on the path user would have taken to arrive at a given factor.
There are specialized kind of policylabels which do not point explicitly to a loginschema. Or they point to a loginschema that does not actually point to the XML file for the view. These policylabels/factors are called ‘passthrough’ factors.
Given below are the ways to create passthrough factors.
add authentication policylabel example1
add loginschema passthrough_schema –authenticationSchema noschema
add authentication policylabel example2 –loginschema passthrough_schema
Passthrough factor implies that AAA subsystem should not go back to user to get credential set for that factor. Instead, it is a hint for AAA to continue with already obtained credentials. This is useful in cases where user intervention is not desired. below are some examples:
- When user is presented two password fields. After the first factor, second factor does not need user intervention
- When authentication of a type (say certificate) is done, and administrator needs to extract groups for that user.
- Passthrough factor could be used with NO_AUTH policy to make conditional jumps. It is described below in a separate section.
nFactor Authentication flow
Authentication always begins at virtual server in nFactor. Virtual server defines the first factor for the user. The very first form that the user sees is served by the virtual server. The logon form that user sees can be customized at virtual server using loginSchema policies. If there are no loginSchema policies, a single username, single password field is shown to the user.
If user needs to be shown more than one password field on customized form, loginschema policies should be used. They allow for showing different forms based on the configured rules (such as intranet user vs external user, service provider A vs service provider B, etc).
Once user credentials are posted, authentication begins at authentication virtual server, the first factor. Since authentication virtual server can be configured with multiple policies, each of them is evaluated in sequence. At any given point, if an authentication policy succeeds, ‘nextFactor’ specified against it will be taken. If there is no nextFactor, authentication process ends. If nextFactor exists, it is checked if that factor is a passthrough factor or a regular factor. If that is passthrough, authentication policies on that factor are evaluated without user intervention. Otherwise, loginSchema associated with that factor is shown to the user.
Using passthrough factor and no-auth policies to make logical decisions
Example: Administrator would like to decide nextFactor based on groups
- Add authentication policylabel groupcheck
- Add authentication policy admingroup –rule http.req.user.is_member_of(“Administrators”) –action NO_AUTHN
- Add authentication policy nonadmins –rule true –action NO_AUTHN
- Bind authencation policylabel groupcheck –policy admingroup –pri 1 –nextFactor factor-for-admin
- Bind authentication policylabel groupcheck –policy nonadmins –pri 10 –nextfactor factor-for-others
- add authentication policy first_factor_policy –rule <> -action <>
- bind authentication vserver <> -policy first_factor_policy –priority 10 –nextFactor groupcheck
nFactor authentication flow is depicted in the following diagram:
Here are some possible solutions to this problem:
- Use a 3rd party WebDAV client such as BitKinex.
- Modify the default Filr WebDAV Authentication method from Digest to Basic authentication. This can be done from the Filr appliance’s 9443 interface under the WebDAV Authentication menu (as documented in the Filr Administration Guide).
IMPORTANT: When using Option #2, please ensure that your Filr site does NOT allow non-SSL access. Basic authentication which passes user credentials in clear-text should only be considered as an option when using SSL (https) to connect to the Filr site. Also, after re-configuring Filr to use Basic authentication, users will need to add the mapped folder to Filr again.