Domain Controller (LDAPS) Load Balancing – NetScaler 10.5

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

Overview

If you plan to use LDAP (Active Directory) for NetScaler Gateway or NetScaler management authentication, load balance the Domain Controllers that are used for authentication.

An alternative to load balancing is to configure NetScaler Gateway and NetScaler management authentication with multiple authentication policies, each pointing to a single Domain Controller. However, NetScaler will try each authentication policy until it finds one that works. If the user enters a wrong password and if you have three authentication policies pointing to different Domain Controllers in the same domain then three different failure attempts will be recorded thus causing premature account lockout. Use Load Balancing to avoid this behavior.

This page details LDAPS, aka Secure LDAP. This protocol requires certificates to be installed on the Domain Controllers. When a user’s password expires, Active Directory does not allow password changes over clear text LDAP so LDAPS must be used instead. Make sure you have certificates installed on your Domain Controllers. The easiest way to accomplish that is to deploy a Microsoft Certificate Authority. Once that’s done the Domain Controllers will request certificates automatically.

An ldaps monitor can be used to verify that the Domain Controller is functional. The ldaps monitor will login as an account, perform an LDAP query, and look for a successful response. The ldaps monitor uses a service account to login. Make sure the service account’s password does not expire. Domain User permissions are sufficient. Since this monitor is a Perl script, it uses NSIP as the source IP.

If you have Domain Controllers in multiple datacenters, you can create multiple load balancing Virtual Servers and cascade them so that the local Domain Controllers are used first, and if they’re not available, then the Virtual Server fails over to Domain Controllers in remote datacenters.

The Load Balancing Virtual Server for LDAPS can be TCP or SSL_TCP:

  • If the protocol is TCP, then SSL-encrypted LDAP traffic is not terminated on the NetScaler, and is simply forwarded to the LDAP servers. If your LDAP client needs to verify the LDAP server certificate, then this Load Balancing configuration will not work, since each back-end LDAP server will have a different certificate.
  • If your Load Balancing Virtual Server is protocol SSL_TCP, then a certificate must be installed on the NetScaler and bound to the Load Balancing Virtual Server. SSL is terminated at the NetScaler and re-encrypted before sending it to the destination Domain Controller. The primary benefit of NetScaler SSL termination is that your LDAP clients can verify the Virtual Server SSL certificate.

When NetScaler uses a local (same appliance) load balanced Virtual Server for LDAPS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a Domain Controller without going through a local Load Balancing Virtual Server, or if NetScaler uses a remote (different appliance) Load Balancing VIP, then the traffic is sourced from the NetScaler NSIP (NetScaler IP). Adjust firewall rules accordingly.

LDAPS Monitor

LDAPS monitor instructions from Citrix article CTX117943 – Secure LDAP Monitor Does not Work. Note: Perl monitor uses NSIP as the source IP.

  1. Use WinSCP or similar to connect to the NetScaler appliance.
  2. On the right, navigate to /netscaler/monitors.
  3. Right-click nsldap.pl, and click Duplicate.
  4. Change the target remote directory to /nsconfig/monitors/nsldaps.pl, and check the box next to Duplicate via local temporary copy. Click OK. The source file is in the /netscaler/monitors directory, but it needs to be copied to the /nsconfig/monitors directory.
  5. Navigate to /nsconfig/monitors. Right-click the new nsldaps.pl file, and click Edit.
  6. Search for the following entry in the file:
    my $ldap=Net::LDAP->new($_[0].":".$_[1],Timeout=>$_[3])
  7. Replace the entry with the following entry. The only change is the addition of: scheme=>’ldaps’
    my $ldap=Net::LDAP->new($_[0].":".$_[1],scheme=>'ldaps',Timeout=>$_[3])
  8. Save the file.
  9. Right-click the nsldaps.pl file, and click Properties.
  10. Check the X box in all three rows, and click OK.
  11. Use WinSCP to download the nsldaps.pl file to your computer, and then copy it to the secondary appliance in the /nsconfig/monitors directory.
  12. In the NetScaler Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
  13. On the right, click Add.
  14. Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain specific information, so if you have multiple Active Directory domains, then you will need multiple ldaps monitors. Include the domain name in the monitor name.
  15. Change the Type to LDAP.
  16. On the Special Parameters tab, use the Script Name drop-down list to select the nsldaps.pl file.
  17. In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com)
  18. In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn’t expire.
  19. In the Filter field, enter cn=builtin. This limits the search results.
  20. In the Password field, enter the password for the service account. Make sure there is no semicolon in the password or the script will be unable to parse the parameters.
  21. Click Create.

    add lb monitor LDAP-Corp LDAP -scriptName nsldaps.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin
  22. If you have multiple domains, then create additional monitors: one for each domain.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.

    add server AD01 10.2.2.11
    add server AD01 10.2.2.12
  6. Continue adding Domain Controllers.

Service Groups

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add
  3. You will create one Service Group per datacenter. Enter a name reflecting the name of the data center. Also, you will create a set of service groups per Active Directory domain so include the domain name.
  4. Change the Protocol to SSL_TCP. Scroll down, and click Continue.
  5. On the right, in the Advanced column, click Members.
  6. On the left, in the Service Group Members section, click where it says No Service Group Member.
  7. If you did not create server objects then enter the IP address of a Domain Controller in this datacenter. If you previously created a server object, then change the selection to Server Based, and select the server object. In the Port field, enter 636 (LDAPS).
  8. Note: Any Domain Controller you add to this list must have an SSL certificate installed. The easiest way to install SSL certificates on the Domain Controllers is with Active Directory Certificate Services since it installs the certificates automatically.

  9. To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.

  10. On the right, in the Advanced column, click Monitors.
  11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  12. Click the arrow next to Click to select.
  13. Select your new LDAPS monitor and click OK.
  14. Click Bind.
  15. To verify the member is up, click in the Service Group Members section.
  16. Highlight a member and click Monitor Details.
  17. It should say Probe successful. Click OK.
  18. If the monitor doesn’t work, use ldp.exe to verify the Domain Controller certificate.
  19. Click Done to finish creating the Service Group.

    add serviceGroup svcgrp-LDAP-Corp SSL_TCP
    bind serviceGroup svcgrp-LDAP-Corp AD01 636
    bind serviceGroup svcgrp-LDAP-Corp AD02 636
    bind serviceGroup svcgrp-LDAP-Corp -monitorName LDAP-Corp
  20. The Service Group is displayed as UP.
  21. Add additional service groups for Domain Controllers in each data center.

Virtual Server

  1. Create or import a certificate that matches the FQDN that resolves to the new Load Balancing VIP for LDAPS.
  2. On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
  3. On the right, click Add.

    1. Name it lbvip-LDAPS-Corp-HQ or similar. You will create one Virtual Server per datacenter so include the datacenter name. Also, each domain has a separate set of Virtual Servers so include the domain name.
  4. Change the Protocol drop-down to SSL_TCP.
  5. Enter a Virtual IP. This VIP cannot conflict with any other IP + Port already being used. You can use an existing VIP that is not already listening on TCP 636.
  6. Enter 636 as the Port. Click OK.
  7. On the left, in the Service Group section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  8. Click the arrow next to Click to select.
  9. Select the previously created Service Group, and click OK.
  10. Click Bind.
  11. Click OK.
  12. On the right, in the Advanced column, click SSL Certificate.
  13. On the left, in the Certificates section, click where it says No Server Certificate.
  14. Click the arrow next to Click to select.
  15. Select a certificate that matches the FQDN that will resolve to this VIP. Click OK.
  16. Click Bind.
  17. Click OK.

    add lb vserver lbvip-LDAP-Corp SSL_TCP 10.2.2.210 636 -persistenceType NONE -cltTimeout 9000
    
    bind lb vserver lbvip-LDAP-Corp svcgrp-LDAP-Corp
  18. Perform other normal SSL configuration including: disable SSLv3, and bind a Modern Cipher Group.
    bind ssl vserver MyvServer -certkeyName MyCert
    
    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    
    unbind ssl vserver MyvServer -cipherName ALL
    
    bind ssl vserver MyvServer -cipherName Modern
    
    bind ssl vserver MyvServer -eccCurveName ALL
  19. Click Done to finish creating the Virtual Server.
  20. The new Virtual Server should show as Up.
  21. Create additional Virtual Servers for each datacenter. These additional Virtual Servers do not need a VIP, so change the IP Address Type to Non Addressable. Only the first Virtual Server will be accessible.

    add lb vserver lbvip-LDAP-Corp-Backup SSL_TCP 0.0.0.0 0
  22. Notice that the additional datacenter Virtual Servers show up with an IP Address of 0.0.0.0 and port of 0.
  23. After you are done creating a Virtual Server for each datacenter, right-click the primary datacenter’s Virtual Server and click Edit.
  24. On the right, in the Advanced column, click Protection.
  25. On the left, in the Protection section, change the Backup Virtual Server to one of the other datacenter Virtual Servers. If all of the services in this datacenter are DOWN, the backup Virtual Server will be used instead. You can cascade multiple Virtual Servers using this method. Click OK and Done.

    set lb vserver lbvip-LDAP-Corp -backupVServer lbvip-LDAP-Corp-Backup

Next Steps

You may now use this Virtual IP in your LDAP authentication policies for NetScaler Gateway and/or NetScaler management login.

61 thoughts on “Domain Controller (LDAPS) Load Balancing – NetScaler 10.5”

    1. That makes sense for Kerberos. But probably not for pure LDAP (no Kerberos). NetScaler’s Kerberos supports SRV lookups, but NetScaler’s LDAP does not. LDAP load balancing is standard practice for UNIX/Linux LDAP authentication, which is what NetScaler uses.

      1. So LDAP authentication between the NetScaler and a Domain Controller always uses NTLM?
        Technically not possible to use Kerberos in combination with LDAP?

        1. Actually, LDAP authentication uses a Basic protocol, where it sends username and password in clear text, unless you encrypt the LDAP connection. Similar to HTTPS.

          Kerberos is very different since it uses tickets. NetScaler supports Kerberos Constrained Delegation, and Negotiate authentication. But these are for Traffic vServers, not for management. With Kerberos, the client gets a ticket from a Domain Controller and presents it to NetScaler. With LDAP, the client sends credentials to NetScaler, and NetScaler confirms them with a LDAP Server. With KCD, NetScaler contacts a domain controller to get a ticket to authenticate with back end web servers.

          NetScaler Negotiate authentication also supports NTLM by sending the NTLM request to an IIS server that is enabled for NTLM authentication.

      2. By no means I am a NetScaler specialist but in my company I am responsible for Active Directory and thus want all devices to authenticate as efficient as possible.
        I assume that for LDAP authentication the NetScaler uses a form of LDAP bind?
        If yes what type?

      3. Carl,

        I have set up LDAPS priority load balancing on Netscaler version 12.1.x.x. It works fine when I point the DNS name ldaps.company.com directly to the VIP. Then I created a DNS c-name record for it as ldaps.gslb.company.com as I wanted to enable GSLB (I have three netscaler sites). Here ldaps fails. When I point directly to each netscaler VIP’s it works but via a c-name it fails. I need the c-name as it points to the record to the three netscalers in the internal DNS servers for resolution. Any idea?

        1. Do the GSLB Services have the correct IPs that match the VIPs? If you disable two of the GSLB Services, does it work? When you ping the FQDN, do you get back the correct IP (VIP)?

          1. Hi Carl,

            Hope you are doing well!

            Even i am facing similar issue as mentioned by Kris. I checked the configuration and GSLB Services are having correct IP. And it is pinging to correct IP (one of the LB VIP) . GSLB is in Active-Passive Setup.

        2. Hi Kris,

          Hope you are doing good. I have similar issue. Can you please help me with solution.

          Regards,
          Shekhar

  1. Nice article, very helpful! But I noticed steps 1-11 for setting up the LDAPS Monitor are no longer required on Netscaler 12 since the ldap or ldaps scheme is now passed via a parameter to the nsldap.pl script so now you can just use that one.

  2. Hello Carl

    We cannot open UDP 53 port from Customer location to our Netscaler ADNS IP at this moment. Thus we cannot make use of GSLB. Can we use Network load balancer to distribute 8:2 load across data centers for Netscaler Gateway? or is there any way out of this?

  3. I have failed to configure secure LDAP on 10.5 build 55.8.NC. The certs are installed on Domain controllers and LDP test are good to go. I ran the debug against the monitor created for ldaps. Error I’m receieving is failed to connect to server, connection reset by peer. Any ideas?

  4. Carl,

    have a couple questions\holes in a netscaler config I’m doing

    1. for secure MEP, do you enable it on the remote site IP?
    2. can I assume, you technically don’t need a monitor for a gslb service? if the back end servies are down the LB will go down and the GSLB VS will be down. Monitors are for custom monitor , either more or less aggressive?
    3. for internal netscalers, would you configure external SOA records, name servers? or usually put internal DNS records for SOA and NS records?
    4. https redirect when using CS? i can make it work when i owa as my default LB in the CS. does this mean that all traffic goes through that back end LB?

    thanks again!

    1. 1. Whichever side is initiating the connection, yes. I would do it on both.
      2. If GSLB finds a VIP that’s the same as the GSLB Service IP, then it will use the state of the VIP and no monitors needed on the GSLB Service.
      3. I don’t think it matters unless you have DNS caches that are switching between internal and external.
      4. HTTP Redirect usually happens from a port 80 listener, which might be a Load Balancer instead of a Content Switch. If the Redirect goes to a URL that matches a CS policy expression, then that traffic goes to the CS Action destination. The Default LB vServer would only be used for non-matching traffic.

  5. Hi Carl,

    After following your manual, we cannot make it working”
    LDP.exe shows after trying to connect:

    ld = ldap_sslinit(“ldaps.”, 636, 1);
    Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error : Fail to connect to ldaps..

    When connecting to a server directly, it works. There is no firewall inbetween the VPX and the AD servers. What can be the issue?

  6. Carl, great guides as always. Seems like your site is generally right at the top of the list when I’m looking for netscaler troubleshooting info. I’ve got a netscaler pair set up in a proxy scenario (not a default gateway) and the AD servers are only seeing the Netscaler’s IP as the source IP. Occasionally when a user has an issue and gets locked out, we want to know which IP the user was coming from, but it’s difficult to correlate the attempts with the lockouts, especially with a high volume of traffic. Is there some tool I’m not aware of that would make this process easier, rather than trying to parse pcap files?

    1. NetScaler can log TCP connections to Syslog. Maybe you can correlate account lockout events with Syslog TCP connections. You can create a Syslog policy, enable TCP Logging, and bind it to the vServer.

      1. I’m not sure I follow. How would GSLB help us in this situation? Do you mean use the DNS functionality of GSLB to route requests directly to the AD servers rather than going through the netscaler?

  7. Hi Carl, We have XenMobile 10.3 infra. LDAP LB VIP on NetScaler is configured with SSL_TCP and same external certificate is bound to it which is also bound to NS Gateway VIP _XM_XenMobileGateway.

    In any way this external cert being used while NetScaler communicates to LDAP servers over 636 for user authentication?

  8. HI Carl,

    How can we SSL_BRIDGE for LDAPs connection? I have configured the same but getting below error.

    Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error : Fail to connect to 10.1.1.10

    Can you list out the mandatory things for LDAPs load balancing? TCP 389 is working fine.

  9. Hi,

    At the beginning of this article you say that:

    “If the protocol is TCP, then SSL-encrypted LDAP traffic is not terminated on the NetScaler, and is simply forwarded to the LDAP servers. If your LDAP client needs to verify the LDAP server certificate, then this Load Balancing configuration will not work, since each back-end LDAP server will have a different certificate.”

    Shouldn’t it be possible to add a unique SAN certificate to each DomainController, each with the local DomainController FQDN as the first SAN entry followed by the FQDN of the LDAPS LB vServer?

    Just like as described in the following article:

    https://edmckinzie.wordpress.com/2009/03/17/how-to-enable-ldap-over-ssl-using-subject-alternate-names/#comment-2344

    Regards

    1. I’ve never tried it. But it seems like more work than simply terminating SSL at the NetScaler.

  10. Hello Carl,

    Can you guide on LDAP Lookup from Netscaler to AD? I did not get understand exactly what means of LDAP Lookup?

    I want to implement the same through Netscaler with source not as SNIP. Can you tell me how can I achieve this?

  11. Running on NS VPC 11.0, b64.34.ns

    I’m having issues with the LDAP polling script. apparently the change mentioned in your howto has now been incorporated in the original script that comes with the build (though it’s done somewhat differently:

    ## Check the fifth argument to figure if secure-ldap
    ## has to be used
    my $scheme_str = “ldap”;
    if(defined($_[4]) && ($_[4] == 1))
    {
    $scheme_str = “ldaps”;
    }

    then lateron it polls at

    $ldap=Net::LDAP->new($_[0].”:”.$_[1],scheme=>$scheme_str,Timeout=>$_[3])

    my limited understanding of perl suggests that this makes the script deciding whether the “Secure” checkmark was set. Nice solution, but the monitor doesn’t work for me, not in LDAP, not in LDAPS. Any idea how I can fix this? When removing the monitor from the service group I can authenticate perfectly, so not a very big deal right now, but I’m a sort of perfectionist and want it properly monitored…

    1. Great how to Carl. I am having an issue with the monitor as well running on 10.5 57.7, when I setup the service group it shows the effective state as “down”. When I use a built in tcp monitor, it shows the effective state as “up”.
      I did validate using the ldp.exe for my binds. The show good for all of the services I predefined for the service group.

        1. No, we are running MPX. I do see SSLv3 enable on the service but I get an error in the gui and cli when I try to disable it.

          1. I believe build 57 enables TLS 1.2 on services. The article I listed earlier has commands to disable TLS 1.2 on monitors. Not sure if you can do those commands on build 57.

            Another option is to disable TLS 1.2 on the back-end servers.

      1. nsldaps.pl uses NSIP as the source IP.

        nsldaps.pl needs Execute permissions (chmod 755 /nsconfig/nsldaps.pl).

  12. However, NetScaler will try each authentication policy until it finds one that works. If the user enters a wrong password and if you have three authentication policies pointing to different Domain Controllers in the same domain then three different failure attempts will be recorded thus causing premature account lockout. Use Load Balancing to avoid this behavior.

    Have you tested it? Doesn’t really make any sense!!!

  13. When i create a LB LDAP connection on NS11 and use that on my Access Gateway VIP for Active Directory authentication, it still uses the NSIP to communicate. Why?

    I thought all communication goes via the SNIP to the domain controllers the check credentials.

    1. Perl scripts for monitoring run in BSD, which uses the NSIP.

      If you load balance then it must be local load balance to use the SNIP. When you run a trace on the appliance, you’ll see NSIP talking to VIP, which uses SNIP to talk to servers.

      1. Carl, thank you, creating a firewall rule for the NSIP’s solved the issue.

        Two other questions:

        -Other monitors of the NetScaler uses ICMP/Ping and this is most of the times not allowed in a DMZ, from what source (NSIP, SNIP, VIP?) is that initiated?

        -When created a LDAPS LB using your article what kind of certificate must be created on the internal CA for this to work?
        I added the root CA certificate and whit out the LDAPS LB authentication works using the NSIP to communicate to DC’s, but using the LDAPS LB vip it doesn’t.
        I added the comodo wildcard cert on the LDAPS VIP because it has the same internal company.com Active Directory domain.

        1. If NetScaler is your LDAP client then NetScaler generally doesn’t care about certificate validity. If you use some other LDAP client and proxy it through NetScaler VIP then the LDAP client probably needs to verify the VIP’s cert (trusted, not expired, etc.). But the LDAP Server certs for the connection between NetScaler and LDAP Server usually doesn’t need to be valid.

          1. For LDAPS, certificates are needed on the domain controllers.

            If your LDAP client is NetScaler AAA or NetScaler Gateway then you don’t need certificates on the LDAPS load balancing vServer. Use TCP protocol for vServer and services.

            If your LDAP client verifies the certificate then you do need cert on the LDAPS Load Balancing vServer. Use SSL_TCP protocol for vServer and services.

  14. Carl,

    Your guides are great. Do you happen to have one on fully configuring LDAPS from scratch with Citrix in mind? I’ve been trying to read up on LDAPS but there don’t seem to be many good guides for it.

    Thanks,
    Realityshift

    1. Are you asking how to install certificates on your domain controllers? The easy way is to install AD Certificate Services in Enterprise Mode. The DCs should request certs automatically.

      1. Yes, in a way. I’m new to certificates and SSL. I’ve created a certificate template and imported from my CA to my LDAP server but doing a test bind on port 636 still fails. So, I’m missing something which is stopping me from going to the next step :\

        1. I haven’t written anything for DC certs because there’s lots of info already on the Internet. For example – http://www.everything-virtual.com/installing-the-home-lab/installing-an-enterprise-root-ca-on-windows-2012r2/, https://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment/. And different environments have different requirements.

          If your DCs are running Windows 2003 then they need to be rebooted before the certs work.

          1. Thanks!!!! This is the guide I’ve been searching for. I’ve read a lot of LDAP stuff but haven’t seen any guides that I fully understood. After following that guide and this one, the Netscaler is working properly with LDAPS authentication.

            Thanks Carl!

            10/10 would read again

    1. There are four editions of NetScaler licenses: NetScaler Gateway (Only) Edition, Standard Edition, Enterprise Edition, and Platinum Edition. Each Edition includes everything in the lower editions. Standard Edition is the minimum for load balancing. If you purchased the NetScaler Gateway VPX then you are only licensed for NetScaler Gateway. You’d have to upgrade to VPX 10 Standard Edition or VPX 200 Standard Edition to get load balancing.

        1. If you are only licensed for NetScaler Gateway Edition then you won’t be able to load balance. The other NetScaler Editions include both load balancing and the NetScaler Gateway feature so the title is appropriate. If you don’t have Load Balancing then you should have a Virtual Servers and Services section where you can setup something similar to load balancing except you can only bind a single service to each vServer. In that scenario I would setup multiple vServers and use the Backup vServer feature to cascade them.

  15. Question about the LDAPS. I already have an LDAPS load balanced via another LB. Thoughts on not doing LB on NS side but instead just create ldap auth server in gateway

    1. Did you copy it to /nsconfig/monitors? This location should not be deleted at reboot. The files at /netscaler/monitors are deleted at reboot. Note: this is no longer necessary in NetScaler 11.

Leave a Reply

Your email address will not be published. Required fields are marked *