Saturday, June 6, 2015

Configure NetScaler Appliance to allow administration with Active Directory accounts

One of the most common configurations I’ve done for clients with NetScaler Appliances is to allow administration with Active Directory accounts since the nsroot account should be protected and logging in with individual user accounts can provide auditing trails.  I’ve found that NetScaler documentation from Citrix is usually a hit and miss as most still demonstrate configurations with version 8 or older even though version 10 have so many of the configuration settings reorganized into different nodes.  This post serves to provide a clear demonstration of configuring AD authentication with version 10 or higher.

Begin by logging into the NetScaler administration console via the NSIP:

image

Navigate to System > Authentication > LDAP and click on the Servers tab:

image

Continue by clicking on the Add button to create Active Directory Domain Controller server objects:

image

Note that from here, you have the option of creating Domain Controller objects that use regular LDAP on port 389 which does not encrypt traffic or LDAPS on port 636 which does.  Using LDAPS requires a CA and configuration on the domain controllers.  For more information, see my previous post here:

Configure LDAPs an Active Directory Domain Controller for LDAP over SSL Connections
http://terenceluk.blogspot.co.uk/2013/10/configure-ldaps-active-directory-domain.html

Proceed by filling in the following:

Name: <Logical name representing the domain controller>

Server Name: <You can user a DNS name or IP address>

Security Type: <PLAINTEXT, TLS or SSL>

Port: <This gets automatically assigned>

Server Type: <AD>

Time-out (seconds): <Default of 3 seconds)>

Base DN (location of users): <Where you want the NetScaler to start looking for accounts. I usually just put the root of the domain in>

Administrator Bind DN: <The Distinguished Name of the service account that will be used to authenticate the user>

BindDN Password: <The password of the Administrator Bind DN account>

Server Logon Name Attribute: <sAMAccountName>

imageimage

Create as many domain controller objects as required:

image

Proceed by clicking on the Policies tab and then the Add button to create an authentication policy using the server objects that were created:

image

In the Create Authentication LDAP Policy window, provide a logical name for the policy then select a domain controller server object that was created for the Server field, type in ns_true for the Expression and then click on the Create button:

image

image

Repeat the same procedure for the other domain controllers:

image

With the policies created, click on the Global Bindings button:

image

Add a policy created earlier and assign an appropriate priority:

image

image

image

image

With the first policy binded, repeat the same procedure and add the other created policies by clicking on the Add Binding button:

image

Next, navigate to System > User Administration > Groups and click on the Add button to create a group object in the NetScaler to represent the Active Directory group in the authenticating domain:

image

image

Type in the group name of the Active Directory group and make sure it is *exactly* the same then click on the Insert button under Command Policies:

image

In the Command Policies window, select superuser if you would like to grant nsroot permissions then click on the Insert button:

image

With superuser permissions granted, proceed and click on the Create button to complete the creation of the System Group:

image

image

Ensure that your Active Directory group is named exactly the same:

image

You should now be able to log into the NetScaler appliance with domain\<username> as the User Name with the appropriate AD password.

image

1 comment:

Carl Stalhood said...

One caution with adding mutliple LDAP policies pointing to mutliple domain controllers in the same domain is premature account lockout. If you mistype your password, the failed logon attempt is recorded with each of the domain controllers you add here. To mitigate this, load balance your LDAP.