Upload
janel-campbell
View
248
Download
6
Tags:
Embed Size (px)
Citation preview
© 2015 Citrix
NetScaler and XenMobile Connectivity DiagnosticsMay 2015
Dale McCoon
Senior Technical Relationship Manager
© 2015 Citrix
© 2015 Citrix
Agenda
• What the NetScaler can Provide for XenMobile– Availability
– Load Balancing– SSL Bridge vs. SSL Offload
– Security– Kerberos Authentication with WorxMail– XenMobile NetScaler Connector
© 2015 Citrix
What the NetScaler can provide for XenMobile
Two easy to sell concepts
•Availability– I don’t want my infrastructure to go down
•Security– I don’t want other people to bring my infrastructure down
© 2015 Citrix
Availability
© 2015 Citrix
Availability
• MDM Load Balancing– Two Methods of set up– MDM Wizard (Recommended)– Manual set up
• SSL Bridge or SSL Offloading– Benefits/Considerations– Configuration
© 2015 Citrix
Examples of Communication flow (SSL Bridge)
© 2015 Citrix
MDM Wizard
© 2015 Citrix
NetScaler for XenMobile Wizard Selection
© 2015 Citrix
HTTP/s Communication
© 2015 Citrix
VServer Config
© 2015 Citrix
XenMobile Servers
© 2015 Citrix
SSL Offload
• Reasons for using SSL Offload– Decreased burden on backend servers to decrypt SSL traffic– Easier to manage SSL certificates in one central location– Plain text traffic on internal network, if auditing requirements are a
consideration
© 2015 Citrix
Enable SSL offload in XMS
© 2015 Citrix
Export the Device Certificate
© 2015 Citrix
Configuration Wizard
© 2015 Citrix
Configuration Wizard
© 2015 Citrix
Troubleshooting
• Using NSTCPDUMP to verify traffic– A variant of Unix based TCPDUMP
• NSTRACE to analyze– A fully functional tracing tool for capturing traffic traversing the
NetScaler
© 2015 Citrix
Nstcpdump.sh
• Used to view live traffic on NetScaler to verify connectivity
© 2015 Citrix
nstrace.sh
• Useful for taking traces to analyze offline
• Filters available to narrow results and limit capture size
• Good for troubleshooting and diagnosing complex protocol level issues
© 2015 Citrix
Security
© 2015 Citrix
Security
• Kerberos Authentication with WorxMail–Secure Single Sign On Solution
• XenMobile NetScaler Connector–Secure Email Access Solution
© 2015 Citrix
Kerberos Authentication With Worxmail
• Kerberos Overview– What is it, how does it work– Configuration Overview
• Troubleshooting– Nskrb.debug– Communication Analysis
© 2015 Citrix
Kerberos
• Kerberos can be used as a Single Sign On (SSO) mechanism on NetScaler
• When challenged by a server (through a 401 Negotiate), NetScaler fetches tickets on user’s behalf
• Two kinds of Kerberos SSO is possible– Kerberos SSO with constrained delegation– Kerberos SSO with impersonation
© 2015 Citrix
Kerberos in NetScaler Overview
• Started supporting from: 9.3, 10.0, 10.0.e – were using likewise
• Starting from 10.1.120.X - likewise is replaced with nskrb
• Starting from 10.1.120.e - likewise is replaced with nskrb
• Major Value add with nskrb:- No more likewise- domain Join is no longer required - Performance is better - Kerberos tickets are cached on NS - User Impersonation is supported.- 3 options to enable NS Kerberos Constrained Delegation.
(Keytab/DelegatedUserPassword/DelegatedUserCert)- PKINIT Support
© 2015 Citrix
Keytab Config
• Ktpass Example:
• ktpass /princ host/[email protected] /ptype KRB5_NT_PRINCIPAL /mapuser nsi-test\svc_kcd1 /pass 1.citrix /out C:\kcd-nsi-test.keytab
• /princ: primary/instance@REALM
• /ptype: KRB5_NT_PRINCIPAL is the general principal type
• /mapuser: maps the principal to User account
• /pass: Specifies password for the principal username specified.
• /out: writes the shared secret key to output file.
© 2015 Citrix
Screenshots of user account in AD
© 2015 Citrix
Delegation Settings
© 2015 Citrix
© 2015 Citrix
© 2015 Citrix
Kerberos: Troubleshooting
• Common issues– DNS not configured correctly – root@ns# /netscaler/nskrb kinit [email protected]– [email protected]'s Password:– kinit: krb5_get_init_creds: unable to reach any KDC in realm dale.com– Kerberos related ports are blocked by Firewall– Clock skew between Netscaler and AD too great– AD configuration incorrect– Delegation is not enabled– Setspn is done with a different account (if KCD account is added with different
keytab or with password)– Certificate mapping is not done (if KCD account is added with delegatedUser’s
cert pair)– CA cert is not imported to AD (if KCD account is added with delegatedUser’s
cert pair)
© 2015 Citrix
Firewall Ports Required to be Open for KCD Communication
Port Protocol Use
53 UDP/TCP DNS
88 UDP/TCP Kerberos
123 UDP NTP
135 TCP RPC Endpoint Mapper
137 UDP NetBIOS Name Service
139 UDP/TCP NetBIOS Session (SMB)
389 TCP LDAP
445 UDP/TCP SMB over TCP
464 TCP UDP/TCP Machine password changes (typically after 30 days)
3268 TCP Global Catalog Search
© 2015 Citrix
Kerberos: Troubleshooting
How to debug a Kerberos error ? – Take nstrace and filter for ‘Kerberos’– Look at AD event logs ‘windows security log’ event id:
4768/4769/4770/4771– Check /var/krb for cached tickets– For Kerberos specific logging, enable it through windows
registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa\Kerberos\ParametersRegistry Value: LogLevelValue Type: REG_DWORDValue Data: 0x1
© 2015 Citrix
Kerberos: Troubleshooting
• nskrb.debug– Insight into authentication process for Kerberos
• Communication analysis– What does that 401 really mean?
© 2015 Citrix
Nskrb.debug
• Similar function to aaad.debug but for Kerberos
• Provides debug level messaging for Kerberos authentication
• Error messages are based on standard Kerberos error codes
© 2015 Citrix
Common Error Codes
0x6 - KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database
1. The actual account does not exist.
2. new account is added but not yet replicated to other KDC.
3. Check if the account is expired or ‘logon restrictions’ enabled.
0x18 - KDC_ERR_PREAUTH_FAILED: Pre-authentication information was invalid
The wrong password was provided.
Verify that the time on the KDC matches the time on the client.
© 2015 Citrix
Common Error Codes
0x17 - KDC_ERR_KEY_EXPIRED: Password has expired – change password to reset
The Delegated user’s password has expired.
0x1C - KDC_ERR_PATH_NOT_ACCEPTED: KDC Policy rejects transited path
1. A trust is incorrectly set up between two domains.
Resolution: Verify that there is a two-way transitive trust set up between the user’s domain and the domain on which the user is trying to access resources.
2. Constrained delegation is being attempted across multiple domains.
Resolution: 2000/2003/2008 does not support Constrained delegation across multiple domains.
© 2015 Citrix
Communication Analysis
© 2015 Citrix
XenMobile NetScaler Connector
© 2015 Citrix
XenMobile NetScaler Connector
• What it does/benefits– Email Access solution– Used standalone or with XenMobile Device manager
• Two Methods of set up– XNC Wizard (recommended)– Manual Set Up
© 2015 Citrix
XNC Communication Flow
© 2015 Citrix
XenMobile NetScaler Connector
• How does it work?– 2 Responder policies – 2 HTTP Callouts– Exchange VServer and Services– XNC VServer and Services– Integrated Caching policies (applicable if licensed for Integrated
Caching)
© 2015 Citrix
Troubleshooting
• Example of typical POST
• What's really happening with the HTTP callout
• Deconstructing the HTTP Callout and Responder policies
• Expected output and response
© 2015 Citrix
Example POST
POST /Microsoft-Server-ActiveSync?User=mydomain%5CDaleM&Cmd=GetItemEstimate&DeviceId=Samsung9999&DeviceType=Samsung HTTP/1.1
User-Agent: Samsung(SRPC)/7.3.00052/
Connection: keep-alive
X-MS-PolicyKey: 3164695099
MS-ASProtocolVersion: 14.1
Authorization: Basic bXlkb21haW5cdmlqYXk6WE5DLUxhYg==
Content-Type: application/vnd.ms-sync.wbxml
Content-Length: 236
Host: 10.217.146.53:80
© 2015 Citrix
Responder Policy
• add responder policy _XM_RESP_W_DEVICEID_3.3.3.3 "HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\") && HTTP.REQ.URL.STARTSWITH(\"/Microsoft-Server-ActiveSync\") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\"callout.asfilter.internal\").NOT && SYS.HTTP_CALLOUT(_XM_W_DEVICEID_3_3_3_3).SET_TEXT_MODE(IGNORECASE).CONTAINS(\"allow\").NOT" DROP
© 2015 Citrix
Deconstructing the HTTP Callout and Responder policies
• set policy httpCallout _XM_W_DEVICEID_3_3_3_3 -vServer _XM_LB_CACHE_3.3.3.3 -returnType TEXT -hostExpr "\"callout.asfilter.internal\"" -urlStemExpr "\"/services/ActiveSync/Authorize\"" -parameters user(HTTP.REQ.HEADER("authorization").AFTER_STR("Basic ").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE) agent(HTTP.REQ.HEADER("user-agent").HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url(("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType("json") DeviceId(HTTP.REQ.URL.QUERY.VALUE("DeviceId")) -scheme http -resultExpr "HTTP.RES.BODY(20)"
© 2015 Citrix
HTTP Callout
© 2015 Citrix
Translated by the NetScaler
• Checking XNC for connectivity for HTTPCall out issues:E.g. : Use a sample GET( this is exactly how the HTTP-Callout feature makes a request to XNC). GET /services/ActiveSync/Authorize?user=mydomain\Dale&agent=Apple-
iPhone3C2&ip=10.217.145.51&url=aHR0cHM6Ly9uc2Nhcy50ZXN0cHJpc2UubmV0L01pY3Jvc29mdC1TZXJ2ZXItQWN0aXZlU3luYz9Vc2VyPXRlc3RwcmlzZS5uZXRca211c2VyMSZDbWQ9U3luYyZEZXZpY2VJZD1hbmRyb2lkYzEyMDQzNDM5NjEmRGV2aWNlVHlwZT1Ub3VjaERvd24=&resultType=json HTTP/1.1
Host: callout.demo.com
Result:
HTTP/1.1 200 OKContent-Length: 7Content-Type: application/json; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Wed, 08 May 2013 17:40:26 GMT"allow"
• Expected behavior is “allow” or “deny”
• XNC logs are under C:\Program Files\Citrix\XenMobile NetScaler Connector\log
© 2015 Citrix
Wrap up
• NetScaler provides an end to end security and availability solution for XenMobile deployments
• MDM Load balancing is fairly straight forward
• Kerberos deployments have a lot of moving parts but knowing each part is essential for troubleshooting
© 2015 Citrix
Resources
• http://support.citrix.com/article/CTX200063
• http://support.citrix.com/article/CTX200220
• http://blogs.citrix.com/2014/10/06/how-to-single-sign-on-to-xenmobile-worxmail/
• https://andromeda.rutgers.edu/~sysmail/krb5_error.html
© 2015 Citrix
Questions?
© 2015 Citrix
Before you leave…
• Conference Surveys are available online at www.citrixsynergy.com starting Thursday, May 14 at 9:00 a.m.– Those who provide feedback by 6pm, Friday, May 15th will receive:– $20 Amazon e-gift card– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)
Download presentations starting Monday May, 18th from the My Event Planning tool
© 2015 Citrix
Work better. Live better.Work better. Live better.