Configuring LDAPS on Citrix NetScaler

If you want to enable LDAP Secure for NetScaler authentication follow the below guide. Using LDAPS allows you to use the Allow password change option on NetScaler so Active Directory users can change their expired passwords. For this reason, and the security advantage, many people opt in to using LDAPS with NetScaler.

NetScaler Authentication Logging –

NetScaler Logon Process and Failure Reasons

NetScaler Gateway direct authentication to StoreFront instead of using LDAP policies

It is wise to note that if you run in to any problems whilst configuring LDAPS/LDAP authentication or if you ever have authentication issues you should enable authentication logging on your NetScaler via the CLI to see what is going on.

To do this open the NetScaler CLI -> authenticate using sufficient credentials -> type shell -> type cd /tmp -> type cat aaad.debug and press enter.


Now every authentication attempt will be logged. As you can see below authentication is failing on my NetScaler with results such as receive_ldap_bind_event Got LDAP error. The reason being that I deliberately changed the LDAP bind account password so I could show you an example!2

Now, back to LDAPS setup.

Firstly you need to install a certificate on your Domain Controller(s) to secure authentication traffic over SSL between the NetScaler and Domain Controller server(s).

Depending on how your internal Certification Authority is set up there are multiple ways to request a certificate such as through IIS, Certificate Services Web Enrolment and Active Directory Enrolment Policies. Ensure that the certificate you do use provides Server Authentication and Client Authentication as the one shown below. Also ensure the Subject Name matches your domain controllers name.



Once you have your certificate in place navigate to NetScaler Gateway -> Policies -> Authentication -> LDAP and edit your existing LDAP server profile or create a new one.4


Under Security Type select SSL and the port will automatically change to 636.5


After selecting SSL you will see the option for Allow Password Change. Choose this if you wish to allow users to change expired Active Directory passwords.6


Now at the bottom of the configuration screen click Done and then save the configuration.7


All being well you should now be able to authenticate over LDAPS. If you do get failures, refer to NetScaler authentication logging. Check also that any firewall between your NetScaler and Domain Controllers are not blocking TCP 636. Another thing you can do is use the ldp.exe tool to bind to a Domain Controller over SSL.

One Comments

  • Pablo

    October 16, 2017

    Did you import the CA root certificate (from the CA server) on the netscaler appliance? If so, where did you import it?


Leave a Reply