How to Configure LDAP Authentication on a NetScaler Appliance.


This article describes how to configure LDAP authentication on NetScaler.


In this article, an LDAP authentication policy is created at a global level for the NetScaler, which all users use when authenticating. You can also create an LDAP authentication policy only for the users authenticating to the SSL VPN under the NetScaler Gateway node.

For a NetScaler to authenticate users through LDAP, create a?? LDAP policy. ?? Then,?? bind the LDAP?? policy to the target virtual server. A NetScaler appliance will default to the?? standard LDAP TCP port of 389?? or to the secure LDAP TCP port of 636 if a?? Security Type selected during?? configuration. ?? Note: If using Microsoft Active Directory Global Catalog Server, the standard port is?? 3268?? or the secure port is 3269.

User-added image


  1. An Active Directory account that meets?? the following requirements:

At a minimum, the Bind DN account must have:

  • Read access to the user objects in the LDAP directory in order to search for user accounts.
  • Read access to the?? Base DN?? (for example, DC=angsupport, DC=com) with the correct attribute that is used as the?? LDAPLogin Name (for example, samAccountName).
In order to perform Group Extraction, which is the process of determining a user’s group membership and returning those values to NetScaler Gateway, the Bind DN account must have:
  • Read access to the group attributes in the LDAP directory.

In order to support password expiration during authentication, the Bind DN account must have?? read?? access to the following attributes in the LDAP directory

  • PwdLastSet
  • UserAccountControl
  • msDS-User-Account-Control-Computed

In order to use an alternative Single Sign-On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must have:

  • Read access is required to the particular SSO Name Attribute of interest in the LDAP directory.????
Note: You can use an?? account that is part of the default?? read-only domain controllers group?? in Active Directory. Check with your Active Directory Administrator?? for confirmation.
  1. ???? The NetScaler IP needs to be able to communicate to the LDAP server on the port that the LDAP server is listening:
  • 389 for plain text LDAP
  • 636 for SSL LDAP
  • 3268 for plain text Global Catalog Server
  • 3269 for SSL Global Catalog Server)
Note:?? If the NetScaler IP cannot communicate to the LDAP servers, you can configure a Load Balancing VIP for LDAP and the NetScaler will send the request?? from a ?? MIP/SNIP. MIP/SNIP would need to?? reach the LDAP servers.
  1. If password change is a requirement, Microsoft requires the connection to LDAP server to be SSL/TLS for password change to work. This requires the LDAP server is set up to accept TLS/SSL connections. By default, Global catalog Servers are read-only and usually cannot be used for password change. Consult your Active Directory Admin to access the?? Global Catalog Servers for password change and the domain controllers are ready to accept SSL/TLS connections. The NetScaler appliance allows password change for naturally expired passwords. New user accounts may not work until the user has logged in to the Active Directory Domain and build their profile.


To configure LDAP authentication on a NetScaler, complete the following tasks:
Note: Each of the following task can be performed either from the (GUI) graphical interface or the (CLI) command-line interface.

User-added image
User-added image

Creating?? an Authentication Server

To add an authentication server, complete the following procedure from the graphical Interface:

  1. Select?? System?? >?? Authentication?? >?? LDAP?? >?? Servers?? >?? Add.


    Select?? NetScaler Gateway?? >?? Policies?? >?? Authentication?? >?? LDAP?? >?? Sever?? >?? Add.

    You can then configure the parameters for the LDAP server in the?? Create Authentication?? dialog box, as shown in the following screen shot:

    User-added image

  2. Specify the required information to define the LDAP Server. The required fields are:

    • Name*?? - Name of the server.

    • Authentication Type?? - The authentication type, in this scenario is LDAP.

    • Server?? – The IP address and TCP port used by the LDAP server.

    • Base DN?? – The base, or node from where the ldapsearch should start.

    • Bind DN?? – The full distinguished name that is used to bind to the LDAP server.

    • Bind DN Password?? – The password for the Bind DN account.

    • Confirm Bind DN Password?? – The password for the Bind DN account.

    • Login Name?? – The name attribute used by the NetScaler appliance to query the external LDAP server or an Active Directory.

    • Search Filter?? – The string to be combined with the default LDAP user search string to form the value.

    • Group Attribute Name?? – The Attribute name for group extraction from LDAP server.

    • Sub Attribute Name?? – The Sub Attribute name for group extraction from LDAP server.

    • Security Type?? – Select Plaintext for non-secure LDAP communication or select TLS or SSL for secure LDAP communication.

Click?? Create. ??
  1. The new policy should appear

User-added image

Top of Page

To add the authentication server from the CLI, run the following command from the command line interface of the appliance:

>add authentication ldapaction ldap_Server
-ldapBase "DC=citrix,DC=com"
-ldapBindDn user@citrix.com

-ldapBindDnPassword ..dd2604527edf70
-ldapLoginName sAMAccountName -groupAttrName "memberOf "

Top of Page

Creating?? an Authentication Policy

To add the authentication policy, complete the following procedure from the graphical interface:

  1. Select?? System?? >?? Authentication?? >?? LDAP?? >?? Policies?? >?? Add.
    User-added image
    Or navigate to the following section: NetScaler Gateway?? >?? Policies?? >?? Authentication?? > LDAP>?? Policies?? >?? Add.

  2. Specify the following details in the?? Create Authentication Policy?? dialog box:

    • Name*?? - The name for the policy.

    • Authentication Type?? – The type of authentication used.

    • Server?? - The server defined in the preceding step.

    • Expression?? - The name of the rule or expression the policy will use.
    ???? Click Create

    ???? User-added image

The new policy should appear.

User-added image

???? Top of Page

To add the authentication policy from CLI, run the following command from the command line interface of the appliance:

>add authentication ldappolicy ldap-service_policy ns_true ldap_Server

Top of Page

Additional Resources

For assistance with troubleshooting authentication issues, refer to?? CTX114999 -?? How to Troubleshoot Authentication with Aaad.debug????


Join the conversation

Citrix Discussions

Open a case

Citrix Support