As of NetScaler 12.0 build 51.24 authentication to NetScaler Gateway virtual servers can be performed by StoreFront rather than LDAP.
To send authentication requests to StoreFront, we must use an AAA virtual server which required NetScaler Enterprise licensing.
Impersonation is used by StoreFront to log on the user connecting through NetScaler Gateway. NetScaler sends credentials to StoreFront in JSON format.
To get started navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Actions -> StoreFrontAuth -> Add.
Enter a name and the URL to your StoreFront server. Click Retrieve Auth Enabled Stores and use the drop-down to select the specific Store you wish to use. For domain, enter your domain NETBIOS name. Click Create.
Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Authentication Policies -> Add.
Enter a name, choose Action Type StoreFrontAuth and use the drop-down to select your recently created StoreFront authentication action. Enter an appropriate expression and click Create.
Next create an AAA Virtual Server. The server does not need an IP so use Non Addressable as the IP type and click OK.
The virtual server does not need a certificate so click Continue.
Click on No Authentication Policy.
Select your StoreFront authentication policy and click Bind. Finish creating the AAA vServer.
Next navigate to Security -> AAA – Application Traffic -> Authentication Profile -> Add.
Enter a name and choose your AAA vServer under Authentication Virtual Server. Under Authentication Host enter anything. Click Create.
Bind the Authentication Profile to your NetScaler Gateway virtual server. Click OK -> Done.
Now test logons by browing to the NetScaler Gateway URL. The logon screen is rendered by NetScaler using RfWebUI or whichever theme you use.
Once you click log on, the security logs of StoreFront show the new logon as below.
At an HTTP level, NetScaler sends a POST to StoreFront.
The credentials are sent via JSON with masked credentials.
Afterwards NetScaler sends the normal GET request for Receiver for Web UI.
StoreFront should reply with a 200 OK.