LDAP authentication with Citrix NetScaler 11.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
In the previous post, we configured the load balancing for our domain controllers. In this post we will configure LDAP authentication using the previously created LB virtual server.
The goal here is to allow users of the RemoteUsers AD group to connect to the external StoreFront website and users of the NetScalerAdmins AD group to connect to the console.
It could be useful if you don’t want all your users to have external access by default.
Requirements
- Active Directory controllers load balancing configured (see Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11)
- AD service account for LDAP queries
- 2 Active directory groups with test users
- Manual LDAP queries are working. You can test with ldp.exe (see below an example)
Lab configuration
- Active Directory controllers load balancing configured in Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- LB VIP for LDAPS: 192.168.1.20
- Service account : citrixguru\svc_ldap
- Remote users AD group: citrixguru.lab/groups/remoteusers
- citrixguru\user1 is member of the group
- Authorized to connect to NetScaler Gateway
- NetScaler Admins AD group: citrixguru.lab/groups/netscaleradmins
- citrixguru\administrator is member of the group
- Authorized to connect to the NetScaler admin console
Policy for users
Create authentication policy for users
Go to NetScaler > System > Authentication > LDAP > Servers, select Add.
- Name: vslb-ldap-remoteusers
- Server IP: 192.168.1.20 (LB VIP LDAPS)
- Security type: SSL
- Port: 636
- Server Type: AD
- Time-out: 3 secs
- Base DN: dc=citrixguru,dc=lab
- Administrator Bind: [email protected]
- Check Bind password and type the password
- Server logon name attribute: sAMAccountName
- Search Filter: memberOf=CN=RemoteAccess,OU=Groups,DC=citrixguru,DC=lab
- Group attribute: memberOf
- Sub attribute name: cn
- Check Allow password change
1 |
add authentication ldapAction vslb-ldap-remoteusers -serverIP 192.168.1.20 -serverPort 636 -ldapBase "dc=citrixguru,dc=lab" -ldapBindDn svc_ldap@citrixguru.lab -ldapBindDnPassword <PWD> -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=RemoteAccess,OU=Groups,DC=citrixguru,DC=lab" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED |
Go to NetScaler > System > Authentication > LDAP > Policies, select Add.
- Name: LDAP_POL_REMOTEUSERS
- Server: vslb-ldap-remoteusers
- Expression: ns_true
1 |
add authentication ldapPolicy LDAP_POL_REMOTEUSERS ns_true vslb-ldap-remoteusers |
Bind policy to NetScaler Gateway virtual server
Go to NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers and select the virtual server you want to modify.
Go to Authentication and select +.

Choose Type.
- Policy: LDAP
- Type: Primary

Bind LDAP_POL_REMOTEUSERS policy.
Priority 0.

The policy is bound to the virtual server.
1 |
bind vpn vserver <vServerName> -policy LDAP_POL_REMOTEUSERS |
Policy for management
Create authentication policy for admins (NetScaler management)
Go to NetScaler > System > Authentication > LDAP > Servers, select Add.
- Name: vslb-ldap-admins
- Server IP: 192.168.1.20 (LB VIP LDAPS)
- Security type: SSL
- Port: 636
- Server Type: AD
- Time-out: 3 secs
- Base DN: dc=citrixguru,dc=lab
- Administrator Bind: [email protected]
- Check Bind password and type the password
- Server logon name attribute: sAMAccountName
- Search Filter: memberOf=CN=NetscalerAdmins,OU=Groups,DC=citrixguru,DC=lab
- Group attribute: memberOf
- Sub attribute name: cn
- Check Allow password change
1 |
add authentication ldapAction vslb-ldap-admins -serverIP 192.168.1.20 -serverPort 636 -ldapBase "dc=citrixguru,dc=lab" -ldapBindDn svc_ldap@citrixguru.lab -ldapBindDnPassword 5cb06d6aecc0be38902bc2d9ff940d0fab727683917e09c3d744b020f0edd9de -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=NetScalerAdmins,OU=Groups,DC=citrixguru,DC=lab" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED |
Go to NetScaler > System > Authentication > LDAP > Policies, select Add.
- Name: LDAP_POL_ADMINS
- Server: vslb-ldap-admins
- Expression: ns_true
- Create ldap policy for admins
1 |
add authentication ldapPolicy LDAP_POL_ADMINS ns_true vslb-ldap-admins |
Bind policy to global
Go to NetScaler > System > Authentication > LDAP > Policies.

Select Global Bindings, then select the policy for admins (LDAP_POL_ADMINS).

Select Bind to validate, then Done to apply.

The policy is now bound.
1 |
bind system global LDAP_POL_ADMINS -priority 100 |
Configure NetScaler admins
Go to NetScaler > System > User administration > Groups and select Add.
- Name: NetscalerAdmins
- Idle: 900secs
- Policy name: Superuser
1 |
add system group NetscalerAdmins -timeout 900 |
Superuser policy allows all commands.
1 |
bind system group NetscalerAdmins -policyName superuser 100 |
Testing
- Try to connect to the external StoreFront with an account member of RemoteUsers
- Try to connect to the NetScaler console with an account member of NetScalerAdmins
Troubleshooting
Go to NetScaler > Authentication > Dashboard.

Go to NetScaler > Authentication > Logs.

More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
… [Trackback]
[…] Find More Informations here: citrixguru.com/2016/01/04/lab-part-19-configure-active-directory-authenticationldap-with-citrix-netscaler-11/ […]