Creating a Citrix NetScaler LDAP Authentication Policy for Users
In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway.
This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.
| Step | Description | Screenshot |
| Log into your NetScaler
Expand System > Authentication > LDAP Click the Servers Tab Tick the already existing AUTHServer_LDAP Click the Add button Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’ Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test |
 |
|
| Give the LDAP server profile a Name
e.g. AUTHSERVER_LDAP_NSUsers Provide the following details of your LDAP server: IP Address / or Name Base DN Admin Bind DN Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Note: In this guide we are using the following specific details as working examples IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: admin@home.local Admin Password: <password> Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local |
Note: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team. |
|
| Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group | Examples:
If you need to obtain the Group details for the ‘Search Filter’
|
|
| Click Test Connection and ensure your LDAP server is reachable | 
Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test |
|
| Click Create at the bottom of the ‘Create Authentication LDAP Server’ |  |
|
| Create another LDAP Policy to bind this new server profile to
Click the Policies tab Tick the existing policy Click Add Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile |
 |
|
| Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers
Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down Leave the Expression as is: ns_true Click Create |
 |
|
| Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler
Note: The Administrators policy is the only policy presently bound to the NetScaler |
 |
NetScaler SSH Command References:
| Create LDAP Server | add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local” -groupAttrName memberOf -subAttributeName cn | |
| Create LDAP Policy | add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers |
If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud
Signup below to receive a free 200 page Citrix NetScaler Introduction guide!
[mc4wp_form id=”2763″]
