Setting up LDAP-based authentication the the NetScaler GUI is usually one of the first things I do on a NetScaler build…except on NetScaler 10.5 – it looks like this feature is broken NS 10.5 build 50.10 nc.
The procedure is simple – configure an LDAP server and policy (or use an existing server\policy configured for CAG, etc). Then create a local group that matches the name of an Active Directory group – ‘Domain Admins’ for example – and give them the appropriate rights (superuser for full rights). Lastly, bind the LDAP policy globally. That’s it.
In NS 10.5, this all works, except for when you go to authenticate at the logon screen. Two interesting notes:
- Once configured, AD integrated authentication works for SSH connections….but not web GUI
- If you create a local user with a long, complex ‘dummy’ password, check the box for ‘Enable External Authentication’, AD integrated authentication will then work for that user. Here’s the problem with that:
- The dummy password is valid for login thus the reason to make it long and complex
- I don’t want to have to create a local account for every admin to logon to the NS
Update 10/2/2014: I have confirmed that NS 10.5 build 52.11 resolves the above issue. Release notes here.
4 thoughts on “NetScaler 10.5 GUI LDAP Authentication”
Thanks a lot for your post.
I have a question.
You wrote "Citrix has confirmed this is a bug". Can you share the Citrix-Bug-ID?
I don't have an LA number – haven't had a chance to call this one in yet…but a Citrix employee verified it here: http://discussions.citrix.com/topic/355076-105-build-5110-gui-ldap-authentication-bug/
How should users enter their credential when they logon using AD auth on the web gui?
is it domain\<username>
or just the username directly?
Are there multiple auth policies for multiple domains? Either way will work.