Objective
This article describes how to configure user logon to the Citrix ADC (NetScaler) appliance using Active Directory credentials (username and password) for management purposes (superuser, read-only, network privileges and all others).
Requirements
- Windows Active Directory区域形成n controller servers
- A dedicated domain group for NetScaler administrators
- NetScaler Gateway 10.1 or later
Instructions
Overview diagram of configuring LDAP Authentication on the NetScaler
Adding new administrators on the NetScaler
NetScaler GUI
To configure user logon on a NetScaler appliance (for Management purposes) complete the following tasks:
1. Creating LDAP Server
Addan Authentication Server fromSystem > Authentication > LDAP > Servertab and complete the required fields as shown in the example screenshot anc clickCreate.
In this example, we limit the access to the NetScaler by filtering the authentication on the user group membership by settingSearch Filter. Value used for this example is - &(memberof=CN=NSG_Admin,OU=AdminGroups,DC=Citrix,DC=lab)
As search filter is configured, everyone who are not member of NSG_Admin group will not be able to log on to the NetScaler Management interface.
Back to top2. Creating LDAP Policy
Addan Authentication policy fromSystem>Authentication>Advanced Policies选项卡。我们使用先进的认证政策instead of basic authentication policies so we can use advanced expressions. Classic expressions (such as ns_true) used in basic authentication policies are deprecated in firmware release 13.0 and are unusable in firmware release 13.1 onward. Enter a name for the policy, select the server that you created in Step 1 from the drop-down menu and in theExpressiontext field, typetrueand clickCreate:
.
3. Binding LDAP Policy
Go toGlobal Bindings>Add Binding>Click to Selectfield and choose the newly created policy (in this example, pol_LDAPmgmt). Choose a priority accordingly (the lower the number, the higher the priority), click onBindand thenDone.
4. Assign privileges to your administrators
You can choose between two options :
- Adding a new group under NetScaler and assigning the same access rights for every user who are members of this group.
- Creating each user administrator account and assign for each of them the correct rights.
Scenario A. Applying Privileges on Group
Adda new system group to the NetScaler, underSystem>User Administration>Groups.This will define the Active Directory group that the users are members of and the Command Policy level that should be associated to the account when logging in. Then, clickCreate.
Note: The Group Name has to match the Active Directory record exactly.
Adding New Administrators
Just add the new administrator users to the LDAP group you configured on the search filter in Step 1.
Scenario B. Applying Privileges Individually for Each User
In this scenario, users who are member of your Active Directory group configured in the search filter (in this example, NSG_Admin) will be able to connect to the NetScaler Management interface but will not have any privileges until you create the specific user on NetScaler and bind command policy to it. This scenario allow you to leverage the administrative right per users.
Adda new system user to the NetScaler, underSystem>User Administration>Users.This will define the Active Directory user and the Command Policy level that should be associated to the account when logging in. Be sureEnable External Authenticationis checked. Then, clickContinue.
Notes: The username has to match the existing user Active Directory record exactly.
Important: UncheckExternal Authenticationfor the nsroot account to avoid a user creating a nsroot in the domain which can give them access to the appliance without knowing the local nsroot credential when an authentication policy is bound globally in the next steps. This is a security recommendation.
When you add a user to NetScaler for external authentication, you need to provide a password in case of the external authentication would not be available. For the external authentication to work properly, the internal password must not match the user account LDAP password.
UnderBindings, click onSystem Command Policy. Depending on your needs, choose the rightCommand Policyto apply to your user. Bind the desired command policy and clickCloseand thenDone.
Adding New Administrators
Add the new administrator users to the LDAP group you configured on the search filter in Step 1.
Create the new system user in NetScaler and assign the correct command policy.
NetScaler CLI
Use the following commands as a guide to configure logon for a group with Superuser privileges on the NetScaler appliance CLI:
# 1. Creating LDAP Serveradd authentication ldapAction LDAP_mgmt -serverIP 1.2.3.4 -serverPort 636 -ldapBase "DC=citrix,DC=lab" -ldapBindDn readonly@citrix.lab -ldapBindDnPassword -ldapLoginName sAMAccountName -searchFilter "&(memberof=CN=NSG_Admin,OU=AdminGroups,DC=citrix,DC=lab)" -groupAttrName memberOf# 2. Creating LDAP Policyadd authentication policy pol_LDAPmgmt -rule true -action LDAP_mgmt# 3. Binding LDAP Policybind system global pol_LDAPmgmt -priority 110# 4. Assign privileges to your administrators### Scenario A. Applying privileges on the group add system group NSG_Admin bind system group NSG_Admin -policyName superuser 100 ### Scenario B. Applying the privileges individually for each users add system user admyoa bind system user admyoa superuser 100
Additional Resources
CTX111079 –How to Configure a NetScaler Appliance for Active Directory Group Extraction for LDAP
CTX214588 –Understanding Session Policy Priority on Different Bind Points
CTX114999 –How to Troubleshoot Authentication Issues Through NetScaler or NetScaler Gateway with aaad.debug Module
Citrix Documentation -To configure LDAP authentication by using the configuration utility
CTX123795 -Example of LDAP Nested Group Search Filter Syntax