Configuring LDAPS on Citrix NetScaler

If you want to enable LDAP Secure for NetScaler authentication follow the below guide. Using LDAPS allows you to use the Allow password change option on NetScaler so Active Directory users can change their expired passwords. For this reason, and the security advantage, many people opt in to using LDAPS with NetScaler.

NetScaler Authentication Logging – http://www.jgspiers.com/netscaler-authentication-failures-aaad-debug/

NetScaler Logon Process and Failure Reasonshttp://www.jgspiers.com/digging-in-to-citrix-logon-process/

NetScaler Gateway direct authentication to StoreFront instead of using LDAP policieshttp://www.jgspiers.com/netscaler-gateway-authentication-direct-storefront/

It is wise to note that if you run in to any problems whilst configuring LDAPS/LDAP authentication or if you ever have authentication issues you should enable authentication logging on your NetScaler via the CLI to see what is going on.

To do this open the NetScaler CLI -> authenticate using sufficient credentials -> type shell -> type cd /tmp -> type cat aaad.debug and press enter.

1

Now every authentication attempt will be logged. As you can see below authentication is failing on my NetScaler with results such as receive_ldap_bind_event Got LDAP error. The reason being that I deliberately changed the LDAP bind account password so I could show you an example!2

Now, back to LDAPS setup.

Firstly you need to install a certificate on your Domain Controller(s) to secure authentication traffic over SSL between the NetScaler and Domain Controller server(s).

Depending on how your internal Certification Authority is set up there are multiple ways to request a certificate such as through IIS, Certificate Services Web Enrolment and Active Directory Enrolment Policies. Ensure that the certificate you do use provides Server Authentication and Client Authentication as the one shown below. Also ensure the Subject Name matches your domain controllers name.

3

 

Once you have your certificate in place navigate to NetScaler Gateway -> Policies -> Authentication -> LDAP and edit your existing LDAP server profile or create a new one.4

 

Under Security Type select SSL and the port will automatically change to 636.5

 

After selecting SSL you will see the option for Allow Password Change. Choose this if you wish to allow users to change expired Active Directory passwords.6

 

Now at the bottom of the configuration screen click Done and then save the configuration.7

 

All being well you should now be able to authenticate over LDAPS. If you do get failures, refer to NetScaler authentication logging. Check also that any firewall between your NetScaler and Domain Controllers are not blocking TCP 636. Another thing you can do is use the ldp.exe tool to bind to a Domain Controller over SSL.


9 Comments

  • Pablo

    October 16, 2017

    Did you import the CA root certificate (from the CA server) on the netscaler appliance? If so, where did you import it?

    Reply
    • George Spiers

      October 17, 2017

      That is right, you just import it under Traffic Management -> SSL -> Certificates -> CA Certificates.

      Reply
      • Pablo

        October 17, 2017

        And bind the ca certificate to the load balancing ldaps vs? I don’t need a server certificate just the CA certificate?

        Reply
        • George Spiers

          October 17, 2017

          If you are Load Balancing LDAPS then you need to create a server certificate which matches the FQDN of the vServer VIP, and bind that certificate to the Load Balancing vServer.
          If you are not Load Balancing LDAP and simply creating an LDAPS enabled LDAP Server (Action/Profile) for authentication, you don’t need a server certificate for that, just a CA certificate.

          Reply
          • Pablo

            October 17, 2017

            Ok. Is done on my CA certificate? Do you have a reference page for this?

  • Pablo

    October 17, 2017

    All my domain controllers have the certificate on them…. to add the VIP name on the san subject alternate name?

    Reply
  • Pablo

    October 17, 2017

    I have a wildcard cert that’s on my netscaler… but that’s not configured for ldaps. Ldaps domain controllers are using a certificate from our certificate authority server. The wildcard is for .eventreviewing.com and my domain controllers have internal certificate for each server separate:
    Ldaps
    Dc1.eventrewiewing.local
    Dc2.eventrewiewing.local
    Dc3.eventrewiewing.local

    Reply
    • Pablo

      October 18, 2017

      Sorry just having issue understanding netscaler ssl-tcp…. if I’m using a wildcard for my vserver ldaps with SSL_TCP and on the backend sever have ldaps with all 3 host have separate certificates on the domain controller. I shouldn’t have an issue correct? So if the 3 domain controller certificate expires soon I shouldn’t have to do anything on the netscaler correct? My vservers all use a 3rd party wildcard .eventreviewing.com and my domain controllers use a certificate from our ca dc1.eventreviewing.com

      Reply
      • George Spiers

        October 18, 2017

        Hi Pablo. Yes, should not be a problem to have a wildcard certificate on the LDAPS LB vServer so long as the clients connecting to that vServer trust the certificate. The individual domain controller certificates should not expire as if handled by ADCS, they will renew automatically themselves.

        Reply

Leave a Reply