NetScaler Authentication Error – /cgi/selfauth

While I was rebuilding my lab, I ran into an issue when building out my demo Exchange OWA front-ended by NetScaler – the error was pretty generic, I would attempt to access the OWA page, was then prompted for authentication by the NetScaler AAA engine running as a part of Unified Gateway, then I was dumped to the following error page:

Http/1.1 Service Unavailable – /cgi/selfauth/xxxxx


This error page is being presented by the NetScaler, and is nothing new – it usually means that a backend connection has failed or there are no policy matches on a Content Switching vServer and a default vServer is not configured – that is the case here as this is a CSW vServer for Exchange.

The Fix

We need to create a SelfAuth CSW policy and bind it to the OWA vServer. Here is the Content Switching policy that handles this error:


The expression is:


Then we need to bind the policy to the CSW vServer – in this case, you can see the other Exchange policies in place, with the new policy at the bottom:


Once done, the OWA page comes up as expected after authentication. Fixed!


4 thoughts on “NetScaler Authentication Error – /cgi/selfauth”

  1. Hi,
    it works fine, but the domainadmin become after the aaa-login a second 401-login-mask.
    All other users become only the aaa-login and works normal.
    What could be the problem?

    Thanks and best regards


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.