Pleased to see that Kerberos authentication has made it into v18, as STAS has proved challenging.
Can somebody confirm it will replace (or remove the need for) STAS entirely and also STAC for those that use Citrix?
Thanks,
RF
Pleased to see that Kerberos authentication has made it into v18, as STAS has proved challenging.
Can somebody confirm it will replace (or remove the need for) STAS entirely and also STAC for those that use Citrix?
Thanks,
RF
Kerberos is a very different method than STAS. There are environments where STAS may still be the better option.
Most customers using NTLM will switch to Kerberos. By default upgraded customers will still use NTLM (reduce change) but I recommend all NTLM environments consider switching.
Some customers using STAS will switch to Kerberos. Any STAS environments will need to evaluate whether Kerberos serves their needs. However in general, if they have already chosen STAS over NTLM, they will choose STAS over Kerberos.
STAS will continue to exist for customers who want to use it.
When using Citrix there is a the problem where many users are coming from the same IP, and Kerberos does not change that. SATC is still the solution there.
Michael,
Thanks for the detailed reply. I'd be interested to understand why customers would choose STAS over Kerberos if it is available?
In our environment, STAS can be (despite many configuration tweaks) a little hit and miss. We have had scenarios where the user account has been located in the event log, and added to the STAS live users DB, but the user still cannot authenticate successfully against the XG. In most of these cases, restarting the STAS service will fix the problem.
Am I right in thinking that Kerberos would effectively be single sign-on, and that the users wouldn't need to manually authenticate with the XG?
I take the point regarding STAC, and that a Citrix environment is a different challenge - but I would have thought that if Kerberos is supported, it'd be no different for a Citrix user to authenticate with the XG than it would be with a file share or printer?
RF
First of all, I am not an expert in STAS or SATC. Archtectually I know how they work, operationally I do not.
Rockfish said:Thanks for the detailed reply. I'd be interested to understand why customers would choose STAS over Kerberos if it is available?
I'm going to throw the question right back at you. As a customer, why did you chose STAS over NTLM?
NTLM and Kerberos are very similar and have a lot of the same benefits and drawbacks.
If you considered NTLM and decided against it, why? The same reason may apply for Kerberos.
If you never considered NTLM, why? The same reason may apply for Kerberos.
STAS vs AD SSO (irregardless of NTLM or Kerberos)
STAS effectively is asking the AD Server "What user at this IP?"
AD SSO (Active Directory Single Sign On) is effectively asking each IP "What user are you?"
AD SSO works great for browsers and any application which makes internet connections that implements proper authentication. But maybe you have xyz software that comes bundled with an updater that periodically goes to xyz.com to get software updates. And that updater was not built to handle authentication. Requests that come in the middle of the night come as unauthenticated requests and that stupid updater doesn't know how to speak NTLM/Kerberos so it fails to update.
The way AD SSO (NTLM or Kerberos) works is that once you are authenticated, your login is cached for some time (default ~5 min) and all traffic from that IP is assumed to come from the same user. So if you are using a browser (which knows how to authenticate) and your stupid updater runs, the updater is allowed because the user is cached.
The point being that STAS effectively is communication between one XG and one AD server. AD SSO (NTLM or Kerberos) is communication between one XG and thousands of applications running on hundreds of clients. STAS is a single point of failure with high impact- which unfortunately fails often for some admins. AD SSO is a thousand points of failure but the impact is quite low - and it will fail all the time.
Notice how I don't say Kerberos, I say AD SSO. Because whether the client application sends credentials via NTLM to the XG or the client application sends a kerberos ticket to the XG, it is still the client application knowing how to authenticate.
As a separate issue, AD SSO is a web technology. It authenticates HTTP and HTTPS traffic, sets the user for that IP, and then all traffic from that IP is that user (such as SSH sessions or TCP connections to a Clash of Clans server on some high level port). AD SSO requires there to be web traffic to do the authentication. STAS is not a web technology. It can associate users and IPs even if there is no web traffic.
First of all, I am not an expert in STAS or SATC. Archtectually I know how they work, operationally I do not.
Rockfish said:Thanks for the detailed reply. I'd be interested to understand why customers would choose STAS over Kerberos if it is available?
I'm going to throw the question right back at you. As a customer, why did you chose STAS over NTLM?
NTLM and Kerberos are very similar and have a lot of the same benefits and drawbacks.
If you considered NTLM and decided against it, why? The same reason may apply for Kerberos.
If you never considered NTLM, why? The same reason may apply for Kerberos.
STAS vs AD SSO (irregardless of NTLM or Kerberos)
STAS effectively is asking the AD Server "What user at this IP?"
AD SSO (Active Directory Single Sign On) is effectively asking each IP "What user are you?"
AD SSO works great for browsers and any application which makes internet connections that implements proper authentication. But maybe you have xyz software that comes bundled with an updater that periodically goes to xyz.com to get software updates. And that updater was not built to handle authentication. Requests that come in the middle of the night come as unauthenticated requests and that stupid updater doesn't know how to speak NTLM/Kerberos so it fails to update.
The way AD SSO (NTLM or Kerberos) works is that once you are authenticated, your login is cached for some time (default ~5 min) and all traffic from that IP is assumed to come from the same user. So if you are using a browser (which knows how to authenticate) and your stupid updater runs, the updater is allowed because the user is cached.
The point being that STAS effectively is communication between one XG and one AD server. AD SSO (NTLM or Kerberos) is communication between one XG and thousands of applications running on hundreds of clients. STAS is a single point of failure with high impact- which unfortunately fails often for some admins. AD SSO is a thousand points of failure but the impact is quite low - and it will fail all the time.
Notice how I don't say Kerberos, I say AD SSO. Because whether the client application sends credentials via NTLM to the XG or the client application sends a kerberos ticket to the XG, it is still the client application knowing how to authenticate.
As a separate issue, AD SSO is a web technology. It authenticates HTTP and HTTPS traffic, sets the user for that IP, and then all traffic from that IP is that user (such as SSH sessions or TCP connections to a Clash of Clans server on some high level port). AD SSO requires there to be web traffic to do the authentication. STAS is not a web technology. It can associate users and IPs even if there is no web traffic.