Citrix Systems Network Router NETSCALER 9.3 User Manual
authentication policies are bound to the system, users are authenticated by the
onboard system.
onboard system.
Note: User accounts must be configured on the NetScaler appliance before users can
be externally authenticated. You must first create an onboard system user for all users
who will access the appliance, so that you can bind command policies to the user
accounts. Regardless of the authentication source, users cannot log on if they are not
granted sufficient command authorization through command policies bound to their
user accounts or to a group of which they are a member.
be externally authenticated. You must first create an onboard system user for all users
who will access the appliance, so that you can bind command policies to the user
accounts. Regardless of the authentication source, users cannot log on if they are not
granted sufficient command authorization through command policies bound to their
user accounts or to a group of which they are a member.
Configuring LDAP Authentication
You can configure the NetScaler to authenticate user access with one or more LDAP
servers. LDAP authorization requires identical group names in Active Directory, on the
LDAP server, and on the NetScaler. The characters and case must also be the same.
servers. LDAP authorization requires identical group names in Active Directory, on the
LDAP server, and on the NetScaler. The characters and case must also be the same.
By default, LDAP authentication is secured by using SSL/TLS protocol. There are two
types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/
TLS connection on a port separate from the port used to accept clear LDAP
connections. After users establish the SSL/TLS connection, LDAP traffic can be sent
over the connection. The second type allows both unsecure and secure LDAP
connections and is handled by a single port on the server. In this scenario, to create a
secure connection, the client first establishes a clear LDAP connection. Then the LDAP
command StartTLS is sent to the server over the connection. If the LDAP server
supports StartTLS, the connection is converted to a secure LDAP connection by using TLS.
types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/
TLS connection on a port separate from the port used to accept clear LDAP
connections. After users establish the SSL/TLS connection, LDAP traffic can be sent
over the connection. The second type allows both unsecure and secure LDAP
connections and is handled by a single port on the server. In this scenario, to create a
secure connection, the client first establishes a clear LDAP connection. Then the LDAP
command StartTLS is sent to the server over the connection. If the LDAP server
supports StartTLS, the connection is converted to a secure LDAP connection by using TLS.
The port numbers for LDAP connections are:
w
389 for unsecured LDAP connections
w
636 for secure LDAP connections
w
3268 for Microsoft unsecure LDAP connections
w
3269 for Microsoft secure LDAP connections
LDAP connections that use the StartTLS command use port number 389. If port numbers
389 or 3268 are configured on the NetScaler, it tries to use StartTLS to make the
connection. If any other port number is used, connection attempts use SSL/TLS. If
StartTLS or SSL/TLS cannot be used, the connection fails.
389 or 3268 are configured on the NetScaler, it tries to use StartTLS to make the
connection. If any other port number is used, connection attempts use SSL/TLS. If
StartTLS or SSL/TLS cannot be used, the connection fails.
When configuring the LDAP server, the case of the alphabetic characters must match
that on the server and on the NetScaler. If the root directory of the LDAP server is
specified, all of the subdirectories are also searched to find the user attribute. In large
directories, this can affect performance. For this reason, Citrix recommends that you
use a specific organizational unit (OU).
that on the server and on the NetScaler. If the root directory of the LDAP server is
specified, all of the subdirectories are also searched to find the user attribute. In large
directories, this can affect performance. For this reason, Citrix recommends that you
use a specific organizational unit (OU).
The following table lists examples of user attribute fields for LDAP servers.
Chapter 1
Authentication and Authorization
38