Skip to content

aaa-kcdAccount

The following operations can be performed on "aaa-kcdAccount":

add| unset| check| rm| show| set|

add aaa kcdAccount

Add a Kerberos constrained delegation account.

Synopsis

add aaa kcdAccount {-keytab } {-realmStr } {-delegatedUser } {-kcdPassword } {-usercert } {-cacert } [-userRealm ] [-enterpriseRealm ] [-serviceSPN ]

Arguments

kcdAccount The name of the KCD account.

keytab The path to the keytab file. If specified other parameters in this command need not be given

realmStr Kerberos Realm.

delegatedUser Username that can perform kerberos constrained delegation.

kcdPassword Password for Delegated User.

usercert SSL Cert (including private key) for Delegated User.

cacert CA Cert for UserCert or when doing PKINIT backchannel.

userRealm Realm of the user

enterpriseRealm Enterprise Realm of the user. This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name

serviceSPN Service SPN. When specified, this will be used to fetch kerberos tickets. If not specified, Citrix ADC will construct SPN using service fqdn

Example

add aaa kcdaccount my_kcd_acct -keytab /var/mykcd.keytab add aaa kcdaccount my_kcd_acct -keytab The above example adds a Kerberos constrained delegation account my_kcd_acct, with the keytab file located at /var/mykcd.keytab

unset aaa kcdAccount

Unset the KCD account information..Refer to the set aaa kcdAccount command for meanings of the arguments.

Synopsis

unset aaa kcdAccount [-usercert] [-cacert] [-userRealm] [-enterpriseRealm] [-serviceSPN]

check aaa kcdAccount

Check Kerberos configuration.

Synopsis

check aaa kcdAccount -realmStr -delegatedUser -kcdPassword -serviceSPN [-userRealm ]

Arguments

realmStr Active Directory Domain

delegatedUser Service Account Name

kcdPassword Service Account Password

serviceSPN Service FQDN

userRealm Impersonate user

Example

check aaa kcdAccount -realmStr AAA.LOCAL -delegatedUser svc_iis3 -kcdPassword -serviceSPN iis3.aaa.local -userRealm ak1

rm aaa kcdAccount

Remove the KCD account.

Synopsis

rm aaa kcdAccount

Arguments

kcdAccount The KCD account name.

show aaa kcdAccount

Display KCD accounts.

Synopsis

show aaa kcdAccount []

Arguments

kcdAccount The KCD account name.

Output

keytab The path to the keytab file. If specified other parameters in this command need not be given

principle SPN extracted from keytab file.

kcdSPN Host SPN extracted from keytab file.

realmStr Kerberos Realm.

delegatedUser Username that can perform kerberos constrained delegation.

kcdPassword Password for Delegated User.

usercert SSL Cert (including private key) for Delegated User.

cacert CA Cert for UserCert or when doing PKINIT backchannel.

userRealm Realm of the user

enterpriseRealm Enterprise Realm of the user. This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name

serviceSPN Service SPN. When specified, this will be used to fetch kerberos tickets. If not specified, Citrix ADC will construct SPN using service fqdn

stateflag devno count

Example

Example

show aaa kcdaccount my_kcd_acct KcdAccount: my_kcd_acct Keytab: /var/mykcd.keytab Done

set aaa kcdAccount

Set the KCD account information.

Synopsis

set aaa kcdAccount [-keytab ] [-realmStr ] [-delegatedUser ] [-kcdPassword ] [-usercert ] [-cacert ] [-userRealm ] [-enterpriseRealm ] [-serviceSPN ]

Arguments

kcdAccount The name of the KCD account.

keytab The path to the keytab file. If specified other parameters in this command need not be given

realmStr Kerberos Realm.

delegatedUser Username that can perform kerberos constrained delegation.

kcdPassword Password for Delegated User.

usercert SSL Cert (including private key) for Delegated User.

cacert CA Cert for UserCert or when doing PKINIT backchannel.

userRealm Realm of the user

enterpriseRealm Enterprise Realm of the user. This should be given only in certain KDC deployments where KDC expects Enterprise username instead of Principal Name

serviceSPN Service SPN. When specified, this will be used to fetch kerberos tickets. If not specified, Citrix ADC will construct SPN using service fqdn

Example

set aaa kcdaccount my_kcd_acct -keytab /var/hiskcd.keytab The above command sets the keytab location for KCD account my_kcd_acct to /var/hiskcd.keytab

Was this article helpful?