© 2015 Citrix

NetScaler and XenMobile Connectivity DiagnosticsMay 2015

Dale McCoon

Senior Technical Relationship Manager

© 2015 Citrix

© 2015 Citrix

Agenda

• What the NetScaler can Provide for XenMobile– Availability

– Load Balancing– SSL Bridge vs. SSL Offload

– Security– Kerberos Authentication with WorxMail– XenMobile NetScaler Connector

© 2015 Citrix

What the NetScaler can provide for XenMobile

Two easy to sell concepts

•Availability– I don’t want my infrastructure to go down

•Security– I don’t want other people to bring my infrastructure down

© 2015 Citrix

Availability

© 2015 Citrix

Availability

• MDM Load Balancing– Two Methods of set up– MDM Wizard (Recommended)– Manual set up

• SSL Bridge or SSL Offloading– Benefits/Considerations– Configuration

© 2015 Citrix

Examples of Communication flow (SSL Bridge)

© 2015 Citrix

MDM Wizard

© 2015 Citrix

NetScaler for XenMobile Wizard Selection

© 2015 Citrix

HTTP/s Communication

© 2015 Citrix

VServer Config

© 2015 Citrix

XenMobile Servers

© 2015 Citrix

SSL Offload

• Reasons for using SSL Offload– Decreased burden on backend servers to decrypt SSL traffic– Easier to manage SSL certificates in one central location– Plain text traffic on internal network, if auditing requirements are a

consideration

© 2015 Citrix

Enable SSL offload in XMS

© 2015 Citrix

Export the Device Certificate

© 2015 Citrix

Configuration Wizard

© 2015 Citrix

Configuration Wizard

© 2015 Citrix

Troubleshooting

• Using NSTCPDUMP to verify traffic– A variant of Unix based TCPDUMP

• NSTRACE to analyze– A fully functional tracing tool for capturing traffic traversing the

NetScaler

© 2015 Citrix

Nstcpdump.sh

• Used to view live traffic on NetScaler to verify connectivity

© 2015 Citrix

nstrace.sh

• Useful for taking traces to analyze offline

• Filters available to narrow results and limit capture size

• Good for troubleshooting and diagnosing complex protocol level issues

© 2015 Citrix

Security

© 2015 Citrix

Security

• Kerberos Authentication with WorxMail–Secure Single Sign On Solution

• XenMobile NetScaler Connector–Secure Email Access Solution

© 2015 Citrix

Kerberos Authentication With Worxmail

• Kerberos Overview– What is it, how does it work– Configuration Overview

• Troubleshooting– Nskrb.debug– Communication Analysis

© 2015 Citrix

Kerberos

• Kerberos can be used as a Single Sign On (SSO) mechanism on NetScaler

• When challenged by a server (through a 401 Negotiate), NetScaler fetches tickets on user’s behalf

• Two kinds of Kerberos SSO is possible– Kerberos SSO with constrained delegation– Kerberos SSO with impersonation

© 2015 Citrix

Kerberos in NetScaler Overview

• Started supporting from: 9.3, 10.0, 10.0.e – were using likewise

• Starting from 10.1.120.X - likewise is replaced with nskrb

• Starting from 10.1.120.e - likewise is replaced with nskrb

• Major Value add with nskrb:- No more likewise- domain Join is no longer required - Performance is better - Kerberos tickets are cached on NS - User Impersonation is supported.- 3 options to enable NS Kerberos Constrained Delegation.

(Keytab/DelegatedUserPassword/DelegatedUserCert)- PKINIT Support

© 2015 Citrix

Keytab Config

• Ktpass Example:

• ktpass /princ host/svc_kcd1.nsi-test.com@NSI-TEST.COM /ptype KRB5_NT_PRINCIPAL /mapuser nsi-test\svc_kcd1 /pass 1.citrix /out C:\kcd-nsi-test.keytab

• /princ: primary/instance@REALM

• /ptype: KRB5_NT_PRINCIPAL is the general principal type 

• /mapuser: maps the principal to User account

• /pass: Specifies password for the principal username specified.

• /out: writes the shared secret key to output file.

© 2015 Citrix

Screenshots of user account in AD

© 2015 Citrix

Delegation Settings

© 2015 Citrix

© 2015 Citrix

© 2015 Citrix

Kerberos: Troubleshooting

• Common issues– DNS not configured correctly – root@ns# /netscaler/nskrb kinit dale@dale.com– dale@dale.com's Password:– kinit: krb5_get_init_creds: unable to reach any KDC in realm dale.com– Kerberos related ports are blocked by Firewall– Clock skew between Netscaler and AD too great– AD configuration incorrect– Delegation is not enabled– Setspn is done with a different account (if KCD account is added with different

keytab or with password)– Certificate mapping is not done (if KCD account is added with delegatedUser’s

cert pair)– CA cert is not imported to AD (if KCD account is added with delegatedUser’s

cert pair)

© 2015 Citrix

Firewall Ports Required to be Open for KCD Communication

Port Protocol Use

53 UDP/TCP DNS

88 UDP/TCP Kerberos

123 UDP NTP

135 TCP RPC Endpoint Mapper

137 UDP NetBIOS Name Service

139 UDP/TCP NetBIOS Session (SMB)

389 TCP LDAP

445 UDP/TCP SMB over TCP

464 TCP UDP/TCP Machine password changes (typically after 30 days)

3268  TCP Global Catalog Search

© 2015 Citrix

Kerberos: Troubleshooting

How to debug a Kerberos error ? – Take nstrace and filter for ‘Kerberos’– Look at AD event logs ‘windows security log’ event id:

4768/4769/4770/4771– Check /var/krb for cached tickets– For Kerberos specific logging, enable it through windows

registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

Lsa\Kerberos\ParametersRegistry Value: LogLevelValue Type: REG_DWORDValue Data: 0x1

© 2015 Citrix

Kerberos: Troubleshooting

• nskrb.debug– Insight into authentication process for Kerberos

• Communication analysis– What does that 401 really mean?

© 2015 Citrix

Nskrb.debug

• Similar function to aaad.debug but for Kerberos

• Provides debug level messaging for Kerberos authentication

• Error messages are based on standard Kerberos error codes

© 2015 Citrix

Common Error Codes

0x6 - KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database

1. The actual account does not exist.

2. new account is added but not yet replicated to other KDC.

3. Check if the account is expired or ‘logon restrictions’ enabled.

0x18 - KDC_ERR_PREAUTH_FAILED: Pre-authentication information was invalid

The wrong password was provided.

Verify that the time on the KDC matches the time on the client.

© 2015 Citrix

Common Error Codes

0x17 - KDC_ERR_KEY_EXPIRED: Password has expired – change password to reset

The Delegated user’s password has expired.

0x1C - KDC_ERR_PATH_NOT_ACCEPTED: KDC Policy rejects transited path

1. A trust is incorrectly set up between two domains.

Resolution: Verify that there is a two-way transitive trust set up between the user’s domain and the domain on which the user is trying to access resources.

2. Constrained delegation is being attempted across multiple domains.

Resolution: 2000/2003/2008 does not support Constrained delegation across multiple domains.

© 2015 Citrix

Communication Analysis

© 2015 Citrix

XenMobile NetScaler Connector

© 2015 Citrix

XenMobile NetScaler Connector

• What it does/benefits– Email Access solution– Used standalone or with XenMobile Device manager

• Two Methods of set up– XNC Wizard (recommended)– Manual Set Up

© 2015 Citrix

XNC Communication Flow

© 2015 Citrix

XenMobile NetScaler Connector

• How does it work?– 2 Responder policies – 2 HTTP Callouts– Exchange VServer and Services– XNC VServer and Services– Integrated Caching policies (applicable if licensed for Integrated

Caching)

© 2015 Citrix

Troubleshooting

• Example of typical POST

• What's really happening with the HTTP callout

• Deconstructing the HTTP Callout and Responder policies

• Expected output and response

© 2015 Citrix

Example POST

POST /Microsoft-Server-ActiveSync?User=mydomain%5CDaleM&Cmd=GetItemEstimate&DeviceId=Samsung9999&DeviceType=Samsung HTTP/1.1

User-Agent: Samsung(SRPC)/7.3.00052/

Connection: keep-alive

X-MS-PolicyKey: 3164695099

MS-ASProtocolVersion: 14.1

Authorization: Basic bXlkb21haW5cdmlqYXk6WE5DLUxhYg==

Content-Type: application/vnd.ms-sync.wbxml

Content-Length: 236

Host: 10.217.146.53:80

© 2015 Citrix

Responder Policy

• add responder policy _XM_RESP_W_DEVICEID_3.3.3.3 "HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\") && HTTP.REQ.URL.STARTSWITH(\"/Microsoft-Server-ActiveSync\") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\"callout.asfilter.internal\").NOT && SYS.HTTP_CALLOUT(_XM_W_DEVICEID_3_3_3_3).SET_TEXT_MODE(IGNORECASE).CONTAINS(\"allow\").NOT" DROP

© 2015 Citrix

Deconstructing the HTTP Callout and Responder policies

• set policy httpCallout _XM_W_DEVICEID_3_3_3_3 -vServer _XM_LB_CACHE_3.3.3.3 -returnType TEXT -hostExpr "\"callout.asfilter.internal\"" -urlStemExpr "\"/services/ActiveSync/Authorize\"" -parameters user(HTTP.REQ.HEADER("authorization").AFTER_STR("Basic ").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE) agent(HTTP.REQ.HEADER("user-agent").HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url(("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType("json") DeviceId(HTTP.REQ.URL.QUERY.VALUE("DeviceId")) -scheme http -resultExpr "HTTP.RES.BODY(20)"

© 2015 Citrix

HTTP Callout

© 2015 Citrix

Translated by the NetScaler

• Checking XNC for connectivity for HTTPCall out issues:E.g. : Use a sample GET( this is exactly how the HTTP-Callout feature makes a request to XNC). GET /services/ActiveSync/Authorize?user=mydomain\Dale&agent=Apple-

iPhone3C2&ip=10.217.145.51&url=aHR0cHM6Ly9uc2Nhcy50ZXN0cHJpc2UubmV0L01pY3Jvc29mdC1TZXJ2ZXItQWN0aXZlU3luYz9Vc2VyPXRlc3RwcmlzZS5uZXRca211c2VyMSZDbWQ9U3luYyZEZXZpY2VJZD1hbmRyb2lkYzEyMDQzNDM5NjEmRGV2aWNlVHlwZT1Ub3VjaERvd24=&resultType=json HTTP/1.1

Host: callout.demo.com

Result:

HTTP/1.1 200 OKContent-Length: 7Content-Type: application/json; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Wed, 08 May 2013 17:40:26 GMT"allow"

• Expected behavior is “allow” or “deny”

• XNC logs are under C:\Program Files\Citrix\XenMobile NetScaler Connector\log

© 2015 Citrix

Wrap up

• NetScaler provides an end to end security and availability solution for XenMobile deployments

• MDM Load balancing is fairly straight forward

• Kerberos deployments have a lot of moving parts but knowing each part is essential for troubleshooting

© 2015 Citrix

Resources

• http://support.citrix.com/article/CTX200063

• http://support.citrix.com/article/CTX200220

• http://blogs.citrix.com/2014/10/06/how-to-single-sign-on-to-xenmobile-worxmail/

• https://andromeda.rutgers.edu/~sysmail/krb5_error.html

© 2015 Citrix

Questions?

© 2015 Citrix

Before you leave…

• Conference Surveys are available online at www.citrixsynergy.com starting Thursday, May 14 at 9:00 a.m.– Those who provide feedback by 6pm, Friday, May 15th will receive:– $20 Amazon e-gift card– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)

Download presentations starting Monday May, 18th from the My Event Planning tool

© 2015 Citrix

Work better. Live better.Work better. Live better.