Authenticating into NetScaler GUI with LDAP

Citrix netscaler

Authenticating into NetScaler GUI with LDAP credentials is very straight forward to configure and also increases security greatly. I’ve been to a lot of customers have the standard nsroot credentials and within an HA pair setup customers are wary of changing it.

 

So to configure authentication firstly you need to add an LDAP server if you do not already have any configured. Its best to add multiple LDAP servers. Within the NetScaler click on the Systems tab on the left.

Expand the authentication node and then select the LDAP entry.

On the right hand side select the Servers tab and click Add.

Screen Shot 2014-12-05 at 16.18.38

 

Give you server a friendly name and then select the Server IP radio button.

Input the IP address of the domain controller and change the port if necessary standard is 389 however 636 could be used if the environment is utilising LDAPS, this however will require additional steps with SSL certificates and is not covered here. You could also use a previously created load balanced VIP here.

Screen Shot 2014-12-05 at 16.19.13

 

Once the basic information about the domain controllers are entered you have to specify the details of the domain. For this step I’ve created a service account (auth.horizon.co.uk) and you just need to enter the details as shown. Again i’ve been a little lazy here in my lab by specifying the root of the domain in Base DN. If you have a specific OU under which sits your users then use that instead.

Screen Shot 2014-12-05 at 16.19.49

Now I’m not sure if this is a bug but this next bit sometimes needs you to click done on this screen then go back in. By default in a NetScaler 10.5 install the server  name logon attribute and below are blanked out,  they require clicking on the dropdown link and selecting the correct attribute for you LDAP configuration. If there is nothing listed within those boxes as mentioned before click done at the bottom of the page an then edit the server. once completed click Done.

Screen Shot 2014-12-05 at 16.21.07

 

Once the Server has been created click on the Policy tab next to it and click Add. Enter a name for the policy and from the drop down server list select the server you have just created. In the expressions box simply type “ns_true” which means the policy will apply to everything. Click Create.

Screen Shot 2014-12-05 at 16.21.43

From the Actions menu within the Policy tab select the Global Binding and select insert policy. select the policy previously created and set a priority (typically 100) and click bind.

Screen Shot 2014-12-05 at 16.22.13

Review the changes and click Done.

Screen Shot 2014-12-05 at 16.22.20

Once Bound you will see the policy listed and you will now need to add groups or users from active directory who are authorised to login to the NetScaler.

 

Screen Shot 2014-12-05 at 16.22.34

 

Now Expand System/User Administration/Groups or users if you wish to do it that way however I would highly recommend groups.

Click Add.

Screen Shot 2014-12-05 at 16.22.42

 

 

Now enter the name of a group who you would like to access the NetScaler. The group has to be identical to the display name within AD. Note I’ve been lazy again and just allowed the Domain admins group. In a production environment I would create a custom group in AD for this purpose.

Now once you have enter the name of the AD group you now need to inform the NetScaler what sort of access the group will have. Within the Command Policies section click Insert.

Screen Shot 2014-12-05 at 16.23.07

 

There are four permission level policies already created by the NetScaler  (absolute permission details are listed here) . Select a permission level which I have selected superuser in this screen and click Insert.

Screen Shot 2014-12-05 at 16.23.17

Finally DO NOT forget to press this button otherwise if the configuration is not saved it will be lost after a reboot.

Screen Shot 2014-12-05 at 16.23.26

Now the configuration is in all you need to do log out of the netscaler with the nsroot credentials and log in again with a user account within the group you have selected.

Screen Shot 2014-12-05 at 16.23.59

 

 

Author: Dale Scriven

Leave a Reply