How to Restrict Access to NetScaler Gateway for only Members of one Active Directory Group

book

Article ID: CTX111079

calendar_today

Updated On:

Description

NetScaler Gateway supports two methods of restricting logon access:

LDAP Search Filter – only users that match the LDAP Search Filter (e.g. Active Directory group membership) can login.
Groups Allowed to Login in a NetScaler Gateway Session Policy/Profile – this method supports multiple Active Directory groups.

This article describes the LDAP Search Filter method.

Requirements

The LDAP Search Filter method does not require any additional NetScaler Gateway licensing.

Note: For the Groups Allowed to Login method, the NetScaler Gateway Virtual Server must be in SmartAccess mode (ICA only unchecked), and thus must be licensed for NetScaler Gateway Universal Licenses. NetScaler 11.1 and newer, Standard Edition and higher, have built-in NetScaler Gateway Universal Licenses. Refer to CTX125797 - How to Restrict Active Directory Group Users Using Groups Allowed To Login Feature for NetScaler. This article assumes that the NetScaler Gateway Virtual Server has already been configured for LDAP authentication. Refer to CTX108876 - How to Configure LDAP Authentication on a NetScaler Appliance to configure LDAP authentication on the NetScaler appliance.

Background

When a user types credentials on the logon page of the NetScaler Gateway Virtual Server and presses Enter, NetScaler first searches Active Directory (LDAP) for the entered username. If no LDAP Search Filter is defined in the LDAP Policy/Server, then NetScaler searches all Active Directory usernames for a match. Once a match is found, NetScaler then pulls the user’s full Distinguished Name (DN) and uses the user’s DN and password to authenticate to Active Directory.

If an LDAP Search Filter is defined, then only usernames that match the LDAP Search Filter are searched for a username match. For example, if the LDAP Search Filter is constructed to only search members of an Active Directory group, then the username entered by the user must match the members of the group.

Instructions

To configure an LDAP Search Filter for members of one Active Directory group, compete the following procedure:

Determine the Active Directory Group that has access permission, and get its full Distinguished Name. An easy way to get the full Distinguished Name of the group is through Active Directory Users and Computers.
In Active Directory Users and Computers, open the View menu, and enable Advanced Features.
Browse the tree to the group object, right-click it, and click Properties.
Note: You cannot use Find. Instead, you must navigate through the tree to find the object.
On the right, switch to the Attribute Editor tab. This tab is only visible if Advanced Features are enabled, and if you didn’t use the Find feature.
Scroll down to distinguishedName, double-click it, and then copy it to the clipboard.
In the NetScaler configuration GUI, on the Configuration tab, in the menu tree on the left, go to NetScaler Gateway > Virtual Servers.
In the right pane, right-click an existing NetScaler Gateway Virtual Server, and click Edit.
Scroll down to the Basic Authentication section, and click where it says # LDAP Policies.
Right-click an existing LDAP Policy, and click Edit Server.
Scroll down to the Other Settings section.
In the Search Filter field, type in memberOf= and then paste the Distinguished Name of the Active Directory group right after the equals sign. Don’t worry about spaces.

An example Search Filter is the following:
memberOf=CN=Citrix Remote,OU=Citrix,DC=corp,DC=local
Nested Groups - By default, NetScaler will only search for usernames that are direct members of the Active Directory group. If you want to search nested groups, then add the Microsoft OID :1.2.840.113556.1.4.1941: to the LDAP Search Filter. The OID is inserted between memberOf and = as shown below:
memberOf:1.2.840.113556.1.4.1941:=CN=Citrix Remote,OU=Citrix,DC=corp,DC=local
Click OK to finish editing the LDAP Server.