Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

How to Configure a NetScaler to Authenticate Against the Global Catalog Server

Document ID: CTX113655   /   Created On: Jan 4, 2008   /   Updated On: Jan 7, 2008
Average Rating: not yet rated

Summary

In a multi-domain forest the Active Directory (AD) database becomes partitioned such that each domain maintains a list of only those objects that belong in that domain. For example, a user created in Domain A would be listed only in Domain A's domain controllers. Global Catalog (GC) servers provide a global listing of all objects in the forest. The Global Catalog is held on domain controllers configured as Global Catalog servers. Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated.

In a multi-domain AD environment, it is generally best to use the IP address of the Global Catalog server. Standard domain controllers only contain AD information for objects within their own domain. As a result, they can only respond to Lightweight Directory Access Protocol (LDAP) queries for objects within their own domain; they cannot respond to LDAP queries for objects within other AD domains in the AD forest. Because a Global Catalog server contains AD information for every object in the entire AD forest, it can respond to LDAP queries for objects within its domain and other AD domains in the AD forest.

To authenticate users in an AD forest that has one or more domains (child domains), it is necessary to configure the NetScaler to authenticate against the Global Catalog Server instead of the local AD server.

Procedure

The process is the same (with one exception) for setting up authentication for AD using LDAP. Refer to the links below for this information.

The only difference is that the AD Global Catalog uses TCP port 3268 while LDAP uses TCP port 389. When referencing the articles below, use port 3268 instead of 389.

CTX113368 – LDAP Bind Account Requirements for Access Gateway Enterprise Edition

CTX108876 – Configuring LDAP Authentication for NetScaler

More Information

Consult your LDAP administration guide for further information.

Wikipedia description of the Active Directory


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Does it work with Citrix? Verify it - introducing the new Citrix Ready Community Verified
©1999-2008 Citrix Systems, Inc. All rights reserved.