NetScaler Gateway 11 LDAP Authentication

Last Modified: Jul 10, 2016 @ 1:53 pm


Verify LDAPS

Use the tool ldp.exe to verify that the Domain Controllers have valid certificates installed and the service account is able to bind to the LDAP tree.

  1. ldp.exe is included with the Remote Server Administration Tools (AD DS Snap-Ins and Command-Line Tools)
  2. Run ldp.exe

  3. Open the Connection menu and click Connect.
  4. Check the box next to SSL. Change the port to 636. Then enter the FQDN of a Domain Controller and click OK.
  5. If it connected successfully, you can then attempt a bind. If the connection was unsuccessful then there’s probably an issue with the certificate installed on the Domain Controller.
  6. Open the Connection menu and click Bind.
  7. Change the Bind type to Simple bind. Then enter the service account credentials. You can use DOMAIN\Username or you can use Click OK.
  8. Look on the right pane to verify a successful bind. If not, fix the credentials and try again.
  9. Once you have successfully binded, you can view the directory tree by opening the View menu and click Tree.
  10. Click the drop-down to view the directory partitions.
  11. Repeat these steps to verify each Domain Controller and any load balanced LDAPS.

LDAP Load Balancing

Before you create an LDAP authentication policy, setup LDAPS load balancing:

You can create multiple load-balancing Virtual Servers to load balance multiple domains. These load-balancing Virtual Servers can share the same VIP if their port numbers are different. Or you can use a different VIP for each domain.

LDAP Server

To create the LDAP Authentication Server, do the following:

  1. On the left, expand Authentication and click Dashboard.
  2. On the right, click Add.
  3. In the Choose Server Type drop-down, select LDAP.
  4. Enter LDAP-Corp as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name.
  5. Change the selection to Server IP. Enter the VIP of the load balancing vServer for LDAP.
  6. Change the Security Type to SSL.
  7. Enter 636 as the Port. Scroll down.
  8. In the Connection Settings section, in the Base DN field, enter your Active Directory DNS domain name in LDAP format.
  9. Enter the credentials of the LDAP bind account in userPrincipalName format. Domain\Username also works.
  10. Check the box next to BindDN Password and enter the password. Scroll down.
  11. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  12. On the right, check the box next to Allow Password Change.
  13. Note: there is a checkbox for Validate LDAP Server Certificate. If you want to do this, see Citrix Discussions for instructions for loading the root certificate to /nsconfig/truststore.
  14. If you want to restrict access to only members of a specific group, in the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.

    1. An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    2. Or in Active Directory Users & Computers, enable Advanced view, browse to the object (don’t use Find), double-click the object, and switch to the Attribute Editor tab.
    3. Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

    4. Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  15. Scroll down and click More.
  16. For Nested Group Extraction, if desired, change the selection to Enabled.
  17. Set the Group Name Identifier to samAccountName.
  18. Set the Group Search Attribute to memberOf. Select << New >> first.
  19. Set the Group Search Sub-Attribute to CN. Select << New >> first
  20. For the Group Search Filter field, see CTX123795 Example of LDAP Nested Group Search Filter Syntax.
  21. Scroll down and click Create.

    add authentication ldapAction Corp-Gateway -serverIP -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=Citrix Remote,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  22. The status of the LDAP Server should be Up.
  23. The Authentication Dashboard doesn’t allow you to create the LDAP Policy at this time. Instead the LDAP Policy will be created later when you bind the LDAP Server to the NetScaler Gateway vServer.

Authentication Feedback and Licenses

  1. On the left, under NetScaler Gateway, click Global Settings.
  2. On the right, in the right column, click Change authentication AAA settings.
  3. If you are using Gateway features that require Gateway Universal licenses, then change the Maximum Number of Users to the number of Gateway Universal licenses you have installed on this appliance. This field has a default value of 5, and administrators frequently forget to change it, thus only allowing 5 users to connect.
  4. If desired, check the box for Enable Enhanced Authentication Feedback. This feature provides a message to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is not found, to name a few. Click OK.

    set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200

Next Step

Multiple Domains

To support multiple Active Directory domains on a NetScaler Gateway, you create multiple LDAP authentication policies, one for each Active Directory domain, and bind all of the LDAP policies to the NetScaler Gateway Virtual Server. When the user logs into NetScaler Gateway, only the username and password are entered. The NetScaler will then loop through each of the LDAP policies in priority order until it finds one that contains the entered username/password.

What if the same username is present in multiple domains? As NetScaler loops through the LDAP policies, as soon as it finds one with the specified username, it will try to authenticate with that particular LDAP policy. If the password doesn’t match the user account for the attempted domain then a failed logon attempt will be logged in that domain and NetScaler will try the next domain.

Unfortunately, the only way to enter a realm name during user authentication is to require users to login using userPrincipalNames. To use userPrincipalName, set the LDAP Policy/Server with the Server Logon Name Attribute set to userPrincipalName.

You can even do a combination of policies: some with samAccountName and some with userPrincipalName. The samAccountName policies would be searched in priority order and the userPrincipalName policies can be used to override the search order. Bind the userPrincipalName policies higher (lower priority number) than the samAccountName policies.

Note: NetScaler 11.0 build 64 supports adding a domain name drop-down list to the logon page. Then use Cookie expressions in the auth policies and session policies. However, this probably doesn’t work for Receivers. See CTX203873 How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway 11.0 64.x and later releases for details.  💡
User-added image

After authentication is complete, a Session Policy will be applied that has the StoreFront URL. The NetScaler Gateway will attempt to log into StoreFront using SSO so the user doesn’t have to login again. When logging into NetScaler Gateway, only two fields are required: username and password. However, when logging in to StoreFront, a third field is required: domain name. So how does NetScaler specify the domain name while logging in to StoreFront?

There are two methods of specifying the domain:

  • Configure multiple session policies with unique Single Sign-on Domains.  Inside the Session Policy is a field called Single Sign-on Domain for specifying the domain name. If there is only one Active Directory domain then you can use the same Session Policy for all users. However, if there are multiple domains then you would need multiple Session Policies, one for each Active Directory domain. But as the NetScaler loops through the LDAP policies during authentication, once a successful LDAP policy is found, you need a method of linking an LDAP policy with a Session Policy that has the corresponding SSO Domain. This is typically done using AAA groups. This method is not detailed here but the general steps are: In the LDAP policy, specify a Default Authentication Group. Create a AAA group that matches it. Then bind the corresponding Session Policy to that AAA group.
  • Alternatively, configure the LDAP policy/server to extract the user’s UPN and then authenticate to StoreFront using UPN. This is the easiest method but some domains don’t have userPrincipalNames configured correctly.

This userPrincipalName method is detailed below:

  1. In each of your NetScaler LDAP policies/servers, in the Other Settings section, in the SSO Name Attribute field, enter userPrincipalName (select –<< New >>– first). Make sure there are no spaces after this name. NetScaler will use this attribute to authenticate the user against StoreFront.
  2. In StoreFront Console, right-click  the Store, and click Manage Authentication Methods.
  3. On the right, click the gear icon, and then click Configure Trusted Domains.
  4. In the Trusted domains box, select Any domain.
  5. Or add your domains in DNS format. The advantage of entering domain names is that you can select a default domain if internal users forget to enter a domain name during login. The DNS format is required for UPN logins (e.g. SSO from NetScaler Gateway).
  6. On the NetScaler Gateway Virtual Server, bind LDAP authentication polices in priority order. It will search them in order until it finds a match.
  7. In your session policies, make sure Single Sign-on Domain is not configured. Since NetScaler is using the userPrincipalName, there’s no need to specify a domain. If Single Sign-on Domain is configured, then Single Sign-on authentication will fail.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

30 thoughts on “NetScaler Gateway 11 LDAP Authentication”

  1. Carl,

    I am looking to setup a contractor portal page. Currently we have 2 netscalers in HA and 2 SF in HA. I would like for our contractors to have a different storefront page. I do not see in your documentation. Am I missing another post you have created elsewhere?

    Thanks in advance.

    1. What do you mean by “different storefront page”?

      Is this NetScaler Gateway? You want each tenant to have a different logon page? Simply create multiple Gateway vServers, each with different VIP/DNS.

      For StoreFront, You can create different Stores on the same URL, each store has different authentication. However, Receiver might show all stores if you don’t hide them. And if you hide them, then you need to provide custom instructions to the users to add a hidden store. Or you can build a different StoreFront group.

      1. This is a NetScaler gateway. Basically I want our contractors to have a different website they visit to gain access to our Citrix Environment. They will authenticate the same way with a AD user using LDAP just their SF page will be different.

        1. Logon page comes from NetScaler. Create a separate Gateway vServer on a different VIP (and DNS name). Bind a different Portal Theme if you want.

          You can create a separate StoreFront Store and point Gateway to that Store. Or create a separate StoreFront Server Group and point Gateway to the new group.

  2. Hello Carl, please, I hope you could help me with a problem which is driving me crazy.

    I followed your procedure to extract an AD group in order to apply some policies to a specific group. I see the NetScaler is retrieving the group name but it seems that the rewrite policy does not receive such name. I want the rewrite policy to redirect an unallowed user to an error page. How could I troubleshoot this?

    The NS is retrieving the group name as follows:
    Sun Sep 11 02:33:29 2016
    /usr/home/build/rs_110_65_23_RTM/usr.src/netscaler/aaad/ldap_drv.c[370]: receive_ldap_user_search_event Binding user… 1 entries
    Sun Sep 11 02:33:29 2016
    /usr/home/build/rs_110_65_23_RTM/usr.src/netscaler/aaad/ldap_drv.c[395]: receive_ldap_user_search_event User DN= <>
    Sun Sep 11 02:33:29 2016
    /usr/home/build/rs_110_65_23_RTM/usr.src/netscaler/aaad/ldap_drv.c[487]: receive_ldap_user_search_event built group string for gsmith of:AllowedGroup

    The Rewrite expression is witten as:

    I have not succeeded with this deployment. Please, any comment is welcome. Thanks.

  3. Carl, Either I am completely stupid or simply my Netscaler version doesn’t have it but I do not have the check box item Allow Password Change in the Other Setting area of LDAP Server Authentication.

    My Netscaler VPX is build Oct. 2015.
    VPX License is Standard model iD 10.

    1. Thanks for your explanation. Authentication now works. From NS11.0: Build I have problems about AAAGroups and nested AD Group. It seems that nested AD gruop does not bind with Intranet Applications that I configured in the past (with NS10.5 no problem). Do you know anything about it?

      1. Did you configure the LDAP policy to extract nested groups? If you run cat /tmp/aaad.debug do you see the nested groups being returned?

        1. Sorry for the later! I made several tests to answer 😉
          I configure the LDAP policy to extract nested groups and if I run cat /tmp/aaad.debug I see nested group!
          But launching VPN from remote I receive the following message “1013:Failed to parse configuration. Check the connection log for more information”.
          In the connection log I see the following message “Split tunneling is enabled and an intranet application is not configured”.
          In Netscaler I just configured intranet applications but:
          – if intranet application is bound to primary group, I receive “1013” error
          – if intranet application is bound to nested group VPN works
          But necessary i have to use primary group to configure intranet applications.
          Could you help me?
          Thanks a lot and sorry for my bad english 😉

          1. By “Primary Group”, do you mean the user’s Primary Group in AD, which defaults to Domain Users? NetScaler LDAP does not extract user Primary Groups. You can go to AD and change the user’s Primary Group and then NetScaler can see the old group. I think this is an LDAP limitation.

          2. Sorry, I did not explain it well. I will try again to explain.

            First case
            UserA belong to GlobalGroupA; GlobalGroupA belong to LocalGroupVPN . Intranet applications is bound with LocalGroupVPN. UserA launches Gateway Plugin to use VPN from remote but he receives “1013” error.

            Second case
            UserA belong to LocalGroupVPN . Intranet applications is bound with LocalGroupVPN. UserA launches Gateway Plugin to use VPN from remote and it works.

            I need to use “First case” but I receive the error.
            Could you offer any advice in this situation?


          3. I just tried it on 11.0 build 64 and it works.

            I created a Domain Global group named CorpVPN and added my test account to it.
            I created a Domain Local group named VPN and added CorpVPN to it.

            On NetScaler, I configured Nested Group Extraction and enabled Split Tunnel.
            I added AAA Groups for both VPN and CorpVPN.
            I created an Intranet Application and bound it to VPN group only. Nothing is bound to CorpVPN. And it works.

            I can see 1013 error if user is in neither group.

            Are your groups in different domains?

  4. Our password has a # as well and it’s working right but the dashboard is failing. Other vServer without special characters are passing LOL.

  5. Hello Carl, today I found out, that the UPN Method in our Multi Domain setup isn’t working completely. If users logon over the NetScaler Gateway Website, everything works fine. If they try to add our Store to their native Receiver, it could not be added. Configuring unique Sessions Policies for each domain with AAA Groups works perfect for us. Thanks for sharing your your knowledge!

    1. Windows 2003 required a reboot. Windows 2008 R2 should work immediately after installing the cert. I’m not aware of any risks.

      1. Thanks Carl. I wasn’t sure if there was any implications of going from LDAP to LDAPS on our primary domain controller. Appreciate your help!

  6. I am getting a message in the authentication dashboard on both of my ldap lb’d vservers that they are down Invalid Admin Bind Credentials. They worked in 10.5 before my upgrade and all monitors and vservers check out. Getting a message when logging in in aaad.debug that main timer 1 is firing and nothing else. No invalid credentials in the debug messages. No clue.

          1. Carl –
            I know this is from a while ago but wanted to update – the gist of it is – if you are using a custom theme and cookies to login from a dropdown box – don’t forget to change the expression in the session policy…

    1. We had the >> down. invalid admin bind credentials < Dashboard check was running. And the Status was Down. After some hours of troubleshooting, we change the Bind User credentials. And Tada, everything was working fine. The old password (we used for years with build 10.5) contained some special characters (“#” and “-“), seems to me that the netscaler is unable to use these special characters and every time the Dashboard check is running, a wrong password is used for the ldap bind user which results in lock out of the user.

      Hope this helps!

  7. Load Balancing is not licensed with the Gateway version from what I understand. How is what you have detailed above achieved ?

    1. There are four editions of NetScaler licenses: NetScaler Gateway (Only) Edition, Standard Edition, Enterprise Edition, and Platinum Edition. Each Edition includes everything in the lower editions. Standard Edition is the minimum for load balancing. If you purchased the NetScaler Gateway VPX then you are only licensed for NetScaler Gateway. You’d have to upgrade to VPX 10 Standard Edition or VPX 200 Standard Edition to get load balancing.

Leave a Reply