Navigation

  • Verify Domain Controller Certificates
  • LDAP Load Balancing
  • Create LDAP Hallmark Server
  • Authentication Feedback and Global Licenses
  • Multiple Active Directory Domains

Verify LDAPS

Apply the tool ldp.exe to verify that the Domain Controllers accept valid certificates installed and the service account is able to bind to the LDAP tree.

  1. ldp.exe is included with the Remote Server Administration Tools (Advert DS Snap-Ins and Command-Line Tools)
  2. Run ldp.exe
  3. Open the Connection menu and clickConnect.
  4. Bank check the box next to SSL. Change the port to 636. Then enter the FQDN of a Domain Controller and click OK.
  5. If it continued successfully, you can then endeavor a bind. If the connection was unsuccessful then there'due south probably an outcome with the certificate installed on the Domain Controller.
  6. Open the Connectedness menu and click Bind.
  7. Change the Bind type to Simple demark. So enter the service account credentials. Yous tin can use DOMAIN\Username or you can use Username@Domain.com. Click OK.
  8. Wait on the right pane to verify a successful bind. If not, fix the credentials and try once again.
  9. Once you lot have successfully binded, y'all can view the directory tree by opening the View card and click Tree.
  10. Click the drop-down to view the directory partitions.
  11. Repeat these steps to verify each Domain Controller and any load balanced LDAPS.

LDAP Load Balancing

Before you lot create an LDAP authentication policy, setup LDAPS load balancing:

You tin create multiple load-balancing Virtual Servers to load balance multiple domains. These load-balancing Virtual Servers can share the same VIP if their port numbers are unlike. Or you can apply a different VIP for each domain.

LDAP Server

To create the LDAP Authentication Server, do the post-obit:

  1. On the left, aggrandize Authentication and click Dashboard.
  2. On the right, click Add together.
  3. In the Cull Server Type drop-down, select LDAP.
  4. Enter LDAP-Corp equally the name. If you have multiple domains, you'll demand a split up LDAP Server per domain so brand sure you include the domain proper noun.
  5. Change the choice to Server IP. Enter the VIP of the load balancing vServer for LDAP.
  6. Alter the Security Type to SSL.
  7. Enter 636 equally the Port. Scroll down.
  8. In the Connection Settings section, in the Base DNfield, enter your Agile Directory DNS domain name in LDAP format.
  9. Enter the credentials of the LDAP bind account in userPrincipalName format. Domain\Username besides works.
  10. Check the box next to BindDN Password and enter the password. Scroll downward.
  11. In the Other Settings section, use the drop-down next to Server Logon Name Aspect, Group Attribute, and Sub Attribute Name to select the default fields for Agile Directory.
  12. On the right, bank check the box next to Allow Password Alter.
  13. Notation: there is a checkbox for Validate LDAP Server Certificate. If you lot want to do this, run into Citrix Discussions for instructions for loading the root document to /nsconfig/truststore.
  14. If y'all want to restrict access to only members of a specific group, in the Search Filter field, enter memberOf=<GroupDN>. See the case below:

    memberOf=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

    You tin add :one.2.840.113556.1.4.1941: to the query and then information technology searches through nested groups. Without this users will demand to be direct members of the filtered group.

    memberOf:1.ii.840.113556.one.4.1941:=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

    1. An easy way to get the full distinguished name of the group is through Agile Directory Authoritative Center. Double-click the group object and switch to the Extensions folio. On the right, switch to the Attribute Editor tab.
    2. Or in Active Directory Users & Computers, enable Advanced view, browse to the object (don't utilize Find), double-click the object, and switch to the Aspect Editor tab.
    3. Scroll down to distinguishedName, double-click information technology and and so re-create it to the clipboard.

    4. Back on the NetScaler, in the Search Filter field, blazon in memberOf= and and then paste the Distinguished Proper name correct after the equals sign. Don't worry near spaces.
  15. Ringlet down and clickMore.
  16. For Nested Group Extraction, if desired, change the option to Enabled.
  17. Prepare the Grouping Name Identifier to samAccountName.
  18. Set the Group Search Attribute to memberOf. Select << New >> first.
  19. Fix the Grouping Search Sub-Attribute to CN. Select << New >> showtime
  20. For the Grouping Search Filter field, encounter CTX123795 Example of LDAP Nested Group Search Filter Syntax.
  21. Scroll downwardly and click Create.
    add together authentication ldapAction Corp-Gateway -serverIP x.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=Citrix Remote,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  22. The status of the LDAP Server should be Up.
  23. The Authentication Dashboard doesn't let you to create the LDAP Policy at this time. Instead the LDAP Policy will be created later when you bind the LDAP Server to the NetScaler Gateway vServer.

Authentication Feedback and Licenses

  1. On the left, under NetScaler Gateway, click Global Settings.
  2. On the right, in the right cavalcade, click Modify authentication AAA settings.
  3. If you are using Gateway features that require Gateway Universal licenses, then change the Maximum Number of Users to the number of Gateway Universal licenses you have installed on this appliance. This field has a default value of v, and administrators frequently forget to change it, thus only assuasive v users to connect.
  4. If desired, check the box for Enable Enhanced Authentication Feedback. This characteristic provides a bulletin to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is non institute, to name a few. Click OK.
    set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200

Next Step

  • For ii-factor, configure RADIUS Hallmark
  • Otherwise, Configure NetScaler Gateway Session Policies

Multiple Domains

To support multiple Agile Directory domains on a NetScaler Gateway, you create multiple LDAP authentication policies, one for each Active Directory domain, and bind all of the LDAP policies to the NetScaler Gateway Virtual Server. When the user logs into NetScaler Gateway, merely the username and password are entered. The NetScaler will then loop through each of the LDAP policies in priority order until it finds one that contains the entered username/password.

What if the same username is nowadays in multiple domains? Equally NetScaler loops through the LDAP policies, as soon every bit it finds one with the specified username, information technology will attempt to authenticate with that item LDAP policy. If the countersign doesn't match the user account for the attempted domain then a failed logon attempt will be logged in that domain and NetScaler will try the next domain.

Unfortunately, the only style to enter a realm name during user authentication is to require users to login using userPrincipalNames. To employ userPrincipalName, set the LDAP Policy/Server with the Server Logon Name Attribute set to userPrincipalName.

Yous tin can even practise a combination of policies: some with samAccountName and some with userPrincipalName. The samAccountName policies would be searched in priority order and the userPrincipalName policies can be used to override the search social club. Bind the userPrincipalName policies higher (lower priority number) than the samAccountName policies.

Note: NetScaler 11.0 build 64 supports adding a domain name drop-down list to the logon folio. So utilize Cookie expressions in the auth policies and session policies. Still, this probably doesn't work for Receivers. See CTX203873 How to Add Driblet-Down Bill of fare with Domain Names on Logon Page for NetScaler Gateway eleven.0 64.x and afterward releases for details.  💡
User-added image

Later hallmark is complete, a Session Policy volition be applied that has the StoreFront URL. The NetScaler Gateway will attempt to log into StoreFront using SSO so the user doesn't have to login once more. When logging into NetScaler Gateway, just two fields are required: username and password. However, when logging in to StoreFront, a tertiary field is required: domain name. So how does NetScaler specify the domain name while logging in to StoreFront?

In that location are two methods of specifying the domain:

  • Configure multiple session policies with unique Single Sign-on Domains.  Within the Session Policy is a field called Single Sign-on Domain for specifying the domain name. If there is only one Agile Directory domain then you can use the same Session Policy for all users. However, if in that location are multiple domains then you would need multiple Session Policies, one for each Active Directory domain. But as the NetScaler loops through the LDAP policies during authentication, once a successful LDAP policy is institute, you need a method of linking an LDAP policy with a Session Policy that has the respective SSO Domain. This is typically done using AAA groups. This method is not detailed here but the general steps are: In the LDAP policy, specify a Default Authentication Group. Create a AAA group that matches information technology. And then demark the corresponding Session Policy to that AAA group.
  • Alternatively, configure the LDAP policy/server to extract the user'south UPN and and so cosign to StoreFront using UPN. This is the easiest method just some domains don't accept userPrincipalNames configured correctly.

This userPrincipalName method is detailed below:

  1. In each of your NetScaler LDAP policies/servers, in the Other Settings section, in the SSO Proper noun Attribute field, enter userPrincipalName(select –<< New >>– first). Make sure there are no spaces after this name. NetScaler will employ this attribute to authenticate the user against StoreFront.
  2. In StoreFront Console, correct-click  the Store, and click Manage Authentication Methods.
  3. On the right, click the gear icon, and and so click Configure Trusted Domains.
  4. In the Trusted domains box, select Any domain.
  5. Or add your domains in DNS format. The reward of entering domain names is that you tin select a default domain if internal users forget to enter a domain name during login. The DNS format is required for UPN logins (e.g. SSO from NetScaler Gateway).
  6. On the NetScaler Gateway Virtual Server, bind LDAP authentication polices in priority social club. It volition search them in order until it finds a match.
  7. In your session policies, brand sure Single Sign-on Domain is not configured. Since NetScaler is using the userPrincipalName, in that location's no need to specify a domain. If Single Sign-on Domain is configured, then Single Sign-on hallmark volition fail.