Home » ldap

Tag: ldap

Setup NetScaler Gateway VPN to use an LDAP Authentication Policy

Step Description Screenshot
 1 Let’s Bind the LDAP_NetScaler_Users policy now to this VPN / Gateway

(see previous posts on the creation of a LDAP policy, the one listed above is an example name based on our other posts)

2 Browse to the gateway and click Edit
3 Click the + on Basic Authentication

Choose LDAP as policy

Choose Primary Authentication

Click Continue

4 Select the LDAP policy you have created for NetScaler Users (and not administrators)
 5 Click Done
 6 Test and confirm
7 We must create an AAA Group and bind an authorisation policy to this group

Expand NetScaler Gateway > User Administration > AAA Groups

Click Add

8 Create a group name that MATCHES (Case sensitive) the AD group specified in the LDAP Policy/Profile

Click OK

 9 Attach the Authorization Policy to this group

Click + Authorization Policies on the right

10 Click the > to bring up the policy selection window
 11 Select the Authorization Policy previously created
12 Click Bind
13 Click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Creating a Citrix NetScaler LDAP Authentication Policy for Users

In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway.

This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.

Step Description Screenshot
Log into your NetScaler

Expand System > Authentication > LDAP

Click the Servers Tab

Tick the already existing AUTHServer_LDAP

Click the Add button

Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’

Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test

Give the LDAP server profile a Name

e.g. AUTHSERVER_LDAP_NSUsers

Provide the following details of your LDAP server:

IP Address / or Name

Base DN

Admin Bind DN

Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST

Server Logon Name Attribute: sAMAccountName

Group Attribute: memberof

Sub Attribute Name: cn

Note: In this guide we are using the following specific details as working examples

IP Address / or Name: 192.168.1.11

Base DN: CN=Users,DC=Home,DC=Local

Admin Bind DN: admin@home.local

Admin Password: <password>

Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local

Note: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team.

Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group Examples:

If you need to obtain the Group details for the ‘Search Filter’

Click Test Connection and ensure your LDAP server is reachable

Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test

Click Create at the bottom of the ‘Create Authentication LDAP Server’
Create another LDAP Policy to bind this new server profile to

Click the Policies tab

Tick the existing policy

Click Add

Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile

Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers

Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down

Leave the Expression as is: ns_true

Click Create

Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler

Note: The Administrators policy is the only policy presently bound to the NetScaler

NetScaler SSH Command References:

Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local” -groupAttrName memberOf -subAttributeName cn
Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers

 

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Creating a Citrix NetScaler LDAP Authentication Policy for Administrators

Creating a NetScaler LDAP Authentication Policy for Administrators

In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server.

This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the LDAP group as specified in the policy will be able to administer the NetScaler device.

Step Description Screenshot
 1 Log into your NetScaler

Expand System > Authentication > LDAP

And click the Add button

2 Give the policy a Name

e.g.

‘AUTHPOL_LDAP_Administrators’

Set the Expression as ‘ns_true

Click the + to add a new LDAP Server to authenticate against

Tip: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler

3 Give the LDAP server profile a Name.

I usually give it the imaginative name of something like:

‘AUTHSERVER_LDAP’

Fill out the essential information for this server profile

Note: In this guide we are using the following recommended minimum examples:

IP Address / or Name: 192.168.1.11

Base DN: CN=Users,DC=Home,DC=Local

Admin Bind DN: admin@home.local (domain administrator account)

Admin Password: <password>

Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local

Server Logon Name Attribute: sAMAccountName

Group Attribute: memberof

Sub Attribute Name: cn

Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully

Note: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.

4 Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group Examples:

If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN

If you need to obtain the Group details for the ‘Search Filter’

 5 Click Test Connection and ensure your LDAP server is reachable

Note: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS

 6 Click Create at the bottom of the ‘Create Authentication LDAP Server’
7 Click Create on the ‘Create Authentication LDAP Policy’ Window
8 Save the NetScaler Configuration

Click YES to the ‘Are you sure’ message

NetScaler SSH Command References:

Create LDAP Server add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
Create LDAP Policy add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Netscaler VPX 10.1.121.10 load balancing of LDAPS broken

Situation: After an upgrade of our VPX devices to FW 10.1.121.10  intermittent authentication issues appeared for the access gateway users. They would simply fail the LDAP bind, yet all monitors would be green with all services  up. Our radius and LDAP authentication point internally to a LB VIP on the Netscaler first before connecting to the individual servers.

Solution: At this stage Citrix support are investigating the issue, they have recognised it as a bug and their workaround solution was to bypass the netscaler load balancer for LDAPS going direct to a specific server, or to downgrade to 10.1.120.13. The downgrade was not a solution for us as we already had issues with the previous version with the VPX network and LACP negotiation.

Once we removed the internal LDAPS load balancer the Netscalers started authenticating immediately.

We then added another policy for a secondary authentication policy and  server so we did not introduce a single point of failure.

ldap2_auth

 

Netscaler upgrade to 10.0.76.7 breaks authentication policy

Situation: We upgraded our Netscaler VPX from 10.0.70.7 to 10.0.76.7 and we were then unable to authenticate to the netscaler console using our LDAP credentials and users were unable to authenticate at the Access Gateway pages.

Solution: During the VPX upgrade the Netscaler truncated the first 2 characters of each line of the Authentication server section (including the password)

Either manually restore the information or copy the authentication lines from a backup of the previous ns.conf

vpx_10.0.76.0_authenticationerror