Tuesday, April 14, 2015

Configuring LDAPS / SSL for Citrix NetScaler LDAP authentication with Active Directory

I recently been asked about how to configure a NetScaler to authenticate against a domain controller when publishing XenApp / XenDesktop environments to utilize secure LDAP (LDAPS) via SSL and after realizing I’ve never written a blog post, I thought I’d do so.

The node in the NetScaler administration console we’re interested in is the Servers tab located in System –> Authentication –> LDAP:

image

Clicking on the Add button will bring up the following configuration options where we’re interested in using the port 636 for LDAPS rather than the unsecured 389 for LDAP and option SSL instead of PLAINTEXT:

imageimage

Prior to actually configuring the NetScaler settings, begin by configuring the Active Directory domain controllers the NetScaler appliance will be authenticating against.  I won’t go into the details to configure them for LDAPS as I’ve written a blog post about it before so I’ll simply include the post here:

Configure LDAPs an Active Directory Domain Controller for LDAP over SSL Connections
http://terenceluk.blogspot.com/2013/10/configure-ldaps-active-directory-domain.html

Once the domain controllers have been configured with a LDAPS certificate and verified to be accepting SSL encrypted connections navigate back to the Servers tab located in System –> Authentication –> LDAP and fill out the fields as such:

imageimage

Note that the Port has been specified to be 636 while the Security Type has been specified as SSL in the screenshots above.  Proceed with configuring additional Servers as required based on the amount of domain controllers you would like to authenticate against and once completed, bind them to the appropriate Virtual Servers in the NetScaler Gateway –> Virtual Servers objects.

--------------------------------------------------------------------------------------------------------------------------------------------------

One of the questions I get asked a lot when demonstrating this configuration to fellow colleagues, is if we have to import the root certificate of the certificate that the domain controllers will be using if the Certificate Authority (CA) is an internal Microsoft Certificate Services Authority and what I’ve noticed is that the authentication still works even if you skip this step.  I personally like to be on the safe side so I would go and import it onto the NetScaler anyways.

April 13, 2015 Update: As one of the comments from my original post notes, it is actually important to import the certificate because failing to do so would cause devices such as tablets (Androids and Apple) to present a:

Cannot verify this server’s certificate.

… or:

Invalid Server Certificate

This server certificate is not trusted.

Do you wish to accept this certificate and connect to the server anyway?

Contact your help desk if you are unsure.

For more information, check out the following blog post:

Android and Apple devices is presented with an “Invalid Server Certificate” warning and are unable to launch applications published through a NetScaler VPX
http://terenceluk.blogspot.com/2015/04/android-and-apple-devices-is-presented.html

-------------------------------------------------------------------------------------------------------------------------------------------------- 

Begin by going onto any one of the servers in the domain that has the Root CA certificate in the Trusted Root Certificates store and export the certificate as a Base-64 encoded X.509 (.CER) format:

image

image

Note that a Base-64 encoded X.509 (.CER) contains readable text in the exported file as shown in the following screenshot:

image

… while a DER encoded binary X.509 (.CER) contains binary code as such:

image

With the Root CA certificate exported, proceed by logging onto the NetScaler and navigating to Traffic Management –> SSL –> Certificates:

image

Clicking on the Install button will bring up the following menu:

image

As with all the other certificate menus on the NetScaler, I often find it confusing so the following is what you need to fill in if you are importing a certificate without a private key:

Certificate-Key Pair Name: A logical name you’d like to call this certificate (type in anything you like)

Certificate File Name: Click on the browse button, upload and select the .CER file you’ve exported

Key File Name: <blank> <—we’re not importing a certificate with a private key so there is no password

Certificate Format: PEM

Password: <blank> <—we’re not importing a certificate with a private key so there is no password

image

Clicking on the Install button will complete the import.

image

Note the differences between a certificate that the NetScaler has the private key (the middle certificate) and a certificate that the NetScaler does not have the private key (the one at the bottom).

image

3 comments:

electronic signature pad said...

Nice post! Provides some good info for people evaluating different approaches.

Anonymous said...

Many thanks for sharing. I couldn't find a Citrix article for this.

Monika Gupta said...

Nice Post, thank you very much for sharing.