Friday 27 February 2015

Citrix NetScaler 10.5 VPX Configuring Active Directory Authentication

It is possible to integrate the Netscaler with Active Directory for Administrator authentication, this means that administrators can use their dedicated admin account to login to the Netscaler and make configuration changes. This prevents organizations from having to manage a local user database on the Netscaler appliances. You should however always have at least one backup local "super user" account to hand in case the LDAP integration breaks for some reason.

Login to the Netscaler using local credentials, expand System and then Authentication, from there click on the LDAP option.

In the Name field enter something descriptive for the policy you are about to create, I have chosen "AD Connector" in my environment. Click the + button next to the Server field.

When the Create Authentication LDAP Server window opens you must populate it with details specific for your network. As this is only a test lab I do not have DNS setup correctly so I have used the IP of a Domain Controller. In addition to this I have chosen to use ordinary LDAP, not LDAP:S which you really should be using in a production network. By default LDAP uses TCP port 389 and LDAP:S uses TCP 636.

Scroll down within the same window until you get to Connection Settings. These settings again must be populated to match your infrastructure. The Base DN should be taken from the root of the Domain. This can be viewed if you enable the Advanced Features view from the View menu from ADCU. You click on Attribute Editor.

You can find the Administrators Bind DN in exactly the same way, the screenshots below show exactly where these details can be viewed. Click on the BindDN Password tick box and enter the password for the Administrator account you have used.

Scroll down further until you see the following properties, you should populate these to be the same as mine except the Group Attribute field, this should be set to the Active Directory group you are going to use to manage users that are authorized to access the Netscaler. Append "memberof=" before the CN path. Click OK.

When you are back on the Configure Authentication page you must add an expression, all this has to be set to is ns_true, click OK once this is in place.

From the Policies screen, you will notice that the policy is not bound to anything, for this to apply across the entire Netscaler it must be Globally Bound. Click the Policy once to highlight it and select Global Bindings.

Select the policy from the Policy Binding drop down, and leave the priority at 100. Click Bind.

The icon under Globally Bound? should not change to a green tick.

The next step is to create a Netscaler Security Group to map to the Active Directory Security group, from System expand User Administration and click Groups.

You must create a security group with EXACTLY THE SAME NAME AS THE ACTIVE DIRECTORY GROUP otherwise it will not work.

Scroll down to Policy Name and give the group "superuser" permissions. Click Create.

Save the settings. 

Now users who are in the Active Directory Security Group should be able to login to the Netscaler using DOMAIN\User with their Active Directory password.