Tag: authentication

November 12, 2017

Creating a Citrix NetScaler LDAP Authentication Policy for Users

In this walkthrough we will create an LDAP policy for basic users of the NetScaler to authenticate against things like a new Virtual NetScaler Gateway.

This profile however will be identical to the previous administrators policy, only we will be looking for another AD group. Instead of ‘Domain Admins’ we will look for users who are members of the LDAP group called ‘NetScaler Users’.

Step	Description	Screenshot
	Log into your NetScaler Expand System > Authentication > LDAP Click the Servers Tab Tick the already existing AUTHServer_LDAP Click the Add button Tip: Because we selected the already created server profile the configuration details of that profile will be automatically copied into this new policy as ‘defaults’ Note: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
	Give the LDAP server profile a Name e.g. AUTHSERVER_LDAP_NSUsers Provide the following details of your LDAP server: IP Address / or Name Base DN Admin Bind DN Admin Password: Be Sure to RETYPE YOUR PASSWORD and click TEST Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Note: In this guide we are using the following specific details as working examples IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: admin@home.local Admin Password: <password> Search Filter: memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local	*Note*: You should use appropriate LDAP details for your environment. If you are unsure consult with your AD/LDAP/Authentication team.
	Tip: You can connect to your AD controller or any Windows machine with the Remote Server Administration Tools (RSAT) installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group	Examples: If you need to obtain the Group details for the ‘Search Filter’
	Click Test Connection and ensure your LDAP server is reachable	*Note*: The LDAP bind password is not copied when you duplicate these settings from a previously created policy so always be sure to re-enter them when creating additional AUTHSERVERS and test
	Click Create at the bottom of the ‘Create Authentication LDAP Server’
	Create another LDAP Policy to bind this new server profile to Click the Policies tab Tick the existing policy Click Add Note: Because we selected the already created server profile the configuration details of that profile will be copied freshly as a new Server Profile
	Simply rename the policy to something new like AUTHPOL_LDAP_NSUsers Link this new policy to the previously created server profile in steps 1-5 by selecting AUTHSERVER_LDAP_NSUsers from the drop down Leave the Expression as is: ns_true Click Create
	Two LDAP Authentication policies now exist and can be used for authenticating users on the NetScaler Note: The Administrators policy is the only policy presently bound to the NetScaler

NetScaler SSH Command References:

	Create LDAP Server	add authentication ldapAction AUTHSERVER_LDAP_NSUsers -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234123412341234123412341234123412341234123412341234123412341234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “memberof= CN=NetScaler Users,CN=Users,DC=home,DC=local” -groupAttrName memberOf -subAttributeName cn
	Create LDAP Policy	add authentication ldapPolicy AUTHPOL_LDAP_NSUsers ns_true AUTHSERVER_LDAP_NSUsers

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Binding a Citrix NetScaler Global LDAP Authentication Policy for Admins

In this walkthrough we will create a LDAP policy for administrators of the NetScaler and bind it globally to the NetScaler

Step	Description		Screenshot
1		Log into your NetScaler Expand System > Authentication > LDAP Tick the newly created policy and click Global Bindings
2		Click the > button to choose your newly created LDAP policy Then click Select Click Bind on the System Global Authentication LDAP Policy Binding Window Click Done
3		Note: The LDAP Policy will have a green tick in the Globally Bound column, which means all members of the LDAP group you added in the ‘Search Field’ of the server policy will now be able to authenticate against the NetScaler as NetScaler system users

Granting AD Group Permissions to the NetScaler

In the previous step we created an LDAP policy and bound it globally to the NetScaler so that all users who are members of the Active Directory group Domain Admins would be able to authenticate against the NetScaler and access the WebGUI. However these users will not have permission on the NetScaler itself to perform any administrative tasks, so we must link the AD group to appropriate permissions on the NetScaler.

Step	Description	Screenshot
1	Example of error message when logging in as user ‘admin@home.local’ Not authorized to execute this command [show ns license] [show ns feature] Note: a user name of just ‘admin’ would also work	Here you can see that the user is able to authenticate, but not perform any tasks on the NetScaler.
2	Log into the NetScaler as nsroot Browse to > System > User Administration > Groups Click the add button
3	Type in Group Name: ‘Domain Admins’ Note: The NetScaler group name must match the LDAP group name and is Case SeNsiTiVE
4	Under Command Policies Click Bind Tick Sysadmin Click Insert
5	Click Create
6	Users who are members of Domain Admins group in Active Directory will now have the sysadmin role on the NetScaler
7	A list of other roles on the NetScaler and what can be assigned are listed here on the Citrix Website	http://docs.citrix.com/en-us/NetScaler/10-1/ns-system-wrapper-10-con/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 12, 2017

Creating a Citrix NetScaler LDAP Authentication Policy for Administrators

Creating a NetScaler LDAP Authentication Policy for Administrators

In this walkthrough we will create an LDAP policy for administrators of the NetScaler and point this new policy to our singular, private, internal Microsoft AD LDAP server.

This will involve creating a server to bind to (i.e. telling the NetScaler what server to communicate with for LDAP services) and we will create a policy that will be bound to this newly created server record. Finally the policy and its associated server profile must be bound to the NetScaler so it knows where and when to use this LDAP policy. We will bind this policy globally to the NetScaler which means all users in the LDAP group as specified in the policy will be able to administer the NetScaler device.

Step	Description	Screenshot
1	Log into your NetScaler Expand System > Authentication > LDAP And click the Add button
2	Give the policy a Name e.g. ‘AUTHPOL_LDAP_Administrators’ Set the Expression as ‘ns_true’ Click the + to add a new LDAP Server to authenticate against	*Tip*: If you keep the naming of the policies, servers and profile creations consistent it is much easier to find them when you have many multiple policies created on the NetScaler
3	Give the LDAP server profile a Name. I usually give it the imaginative name of something like: ‘AUTHSERVER_LDAP’ Fill out the essential information for this server profile Note: In this guide we are using the following recommended minimum examples: IP Address / or Name: 192.168.1.11 Base DN: CN=Users,DC=Home,DC=Local Admin Bind DN: admin@home.local (domain administrator account) Admin Password: <password> Search Filter: memberof= CN=Domain Admins,CN=Users,DC=home,DC=local Server Logon Name Attribute: sAMAccountName Group Attribute: memberof Sub Attribute Name: cn Tip: be sure to click the test connection button once you have finished the setup of this LDAP server profile to ensure it connects to your LDAP server successfully	*Note*: You should use appropriate LDAP details. If you are unsure consult with your AD/LDAP/Authentication team.
4	Tip: You can connect to a Domain Controller or any Windows machine with the RSAT tools installed to establish your base DN and admin bind DN by querying the accounts using dsquery user and dsquery group	Examples: If I want the NetScaler to search the Users OU in AD I could query a user name in that OU to get their Base DN If you need to obtain the Group details for the ‘Search Filter’
5	Click Test Connection and ensure your LDAP server is reachable	*Note*: the Admin Password is not copied when you duplicate these settings at a later stage so always be sure to re-enter them when creating additional AUTHSERVERS
6	Click Create at the bottom of the ‘Create Authentication LDAP Server’
7	Click Create on the ‘Create Authentication LDAP Policy’ Window
8	Save the NetScaler Configuration Click YES to the ‘Are you sure’ message

NetScaler SSH Command References:

	Create LDAP Server	add authentication ldapAction AUTHSERVER_LDAP -serverIP 192.168.1.11 -ldapBase “CN=Users,DC=Home,DC=Local” -ldapBindDn admin@home.local -ldapBindDnPassword 1234561234561234561234561234561234561234561234561234561234 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
	Create LDAP Policy	add authentication ldapPolicy AUTHPOL_LDAP_Administrators ns_true AUTHSERVER_LDAP

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

June 11, 2014

Citrix 10.1 Netscaler Max Login Attempts

We wanted to set a simple timeout and max authentication attempts on the netscaler before an end user locked out their Active Directory account (given that LDAP auth was the Primary authentication method this also means that a brute force style password attempt would be stopped at the netscaler and never hit the inside LDAP servers)

Configure it like so on your Netscaler Gateway Virtual Server, obviously configure these settings to be less than the AD lockout settings

Failed Login Timeout (in mins)

Max Login Attempts

Error Message the End User will receive in their web browser after they reach the max login attempt limit

February 19, 2014

Storefront Logon Failure Event ID

Security Log > Audit Failure Event ID 4625

An account failed to log on.

Subject:
Security ID: NETWORK SERVICE
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3e4

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: jamesscanlon
Account Domain: DOMAIN

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID: 0xa20
Caller Process Name: C:Program FilesCitrixReceiver StoreFrontServicesDefaultDomainServicesCitrix.DeliveryServices.ServiceHosting.WindowsServiceHost.exe