How to Configure a Registry-Based Scan Expression to Look for Domain Membership

How to Configure a Registry-Based Scan Expression to Look for Domain Membership

book

Article ID: CTX128040

calendar_today

Updated On:

Description

This article describes how to configure a registry-based scan expression to look for domain membership.

When the user types the NetScaler Gateway web address, the NetScaler Gateway checks to see if there are any client-based security policies in place. This is called a preauthentication policy. If this type of policy is configured on the NetScaler Gateway, it checks for the specified condition on the user device. These are generally security checks that verify that the user device has the necessary security-related operating system updates, antivirus protection, and perhaps a properly configured firewall.

If the user device fails the security check, the NetScaler Gateway blocks the user from logging on. A user unable to log on needs to download the necessary updates, packages or keys and install them on the user device.


Instructions

To perform a registry-based scan expression to look for domain membership you can use either of the following registry keys:

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

Parameters Registry Key

This registry key is located at - My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

User-added image

The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE== example.net

Configure from NetScaler CLI

Run the following command from NetScaler CLI:
add aaa preauthenticationpolicy EPA_expression_domain_membership q/CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE == example.net/ Test

Configure from NetScaler GUI

  1. From the configuration utility, in the navigation pane, click Access Gateway.
  2. In the details pane, under Policy Manager, click Change group settings and user permissions.
  3. In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-Authentication Policies.
  4. Under Related Tasks, click Create new preauthentication policy and complete the fields as shown in the following screen shot:

User-added image

Winlogon Registry Key

This registry key is located at - My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

User-added image

The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX
Important! Notice the space between Windows\\ NT

Configure from NetScaler CLI

Run the following command from NetScaler CLI:
add aaa preauthenticationpolicy EPA_expression_domain_membership1 q/CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX/ Test

Configure from NetScaler GUI

  1. From the configuration utility, in the navigation pane, click Access Gateway.
  2. In the details pane, under Policy Manager, click Change group settings and user permissions.
  3. In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-Authentication Policies.
  4. Under Related Tasks, click Create new preauthentication policy and complete the fields as shown in the following screen shot:

User-added image

Single Policy to Look for Both Keys

Alternatively, you can use both expressions to create a single preauthentication policy and look for both registry keys.

The EPA expression to use on the NetScaler Gateway is:
CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE == example.net || CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX
Important! Notice the space between Windows\\ NT

Configure from NetScaler CLI

Run the following command from NetScaler CLI:
add aaa preauthenticationpolicy EPA_expression_domain_membership_REPRO q/CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Parameters_Domain').VALUE == example.net || CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon_DefaultDomainName').VALUE == CITRIX/ Test

Configure from NetScaler GUI

  1. From the configuration utility, in the navigation pane, click Access Gateway.
  2. In the details pane, under Policy Manager, click Change group settings and user permissions.
  3. In the Access Gateway Policy Manager, under Available Policies / Resources, click Pre-Authentication Policies.
  4. Under Related Tasks, click Create new preauthentication policy and complete the fields as shown in the following screen shot:

User-added image

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Issue/Introduction

This article describes how to configure a registry-based scan expression to look for domain membership.