Well over the last 12 months I have been having a rapid learning curve on the extremely good Citrix NetScaler VPX appliances. Recently we had deployed a GSLB configuration to support multi-site Citrix XenApp and XenDesktop deployments (will post more on this later). This was initially just to support a single domain, which is relatively straight forward in terms of authentication and session policies.
It turned out we actually had to support two domains (and possibly more in future). Up to this point we had a virtual server that had the session policies applied and the necessary LDAP policies (which had the LDAP AD Servers we were querying).
So to support multiple domains we did the following:-
- Created a group in each AD domain to reference the users that are allowed access
- Created a group under Access Gateway\Groups matching the name of the groups created in each AD domain
- Created new LDAP Servers and Polices for the new new domain. To support a unique logons the new LDAP servers had the “Server Logon name Attribute” and “SSO Name Attribute” set to “UserPrincipalName”
- We left the existing domain to be samAccountName so existing users didn’t have to remember to add the @Domain suffix.
- On both existing and new domain LDAP servers we added search filters for the groups “memberOf=CN=GROUPNAME,OU=OUNAME,DC=Domain,DC=DomainSuffix“
- On all LDAP Servers we also added Nested Group Extraction, as we used domain users on the existing domain (and wanted to maintain that for the time being)
- Created a new session polices for the new domain. Copied the existing one and changed the SSO Domain to the new domain. On each session profile we also used Authorization Groups under Security/Advanced matching the local groups created on the NS (a 9.2+ Feature)
- Under each group created on the NS add a session policy created above
- Remove the Session Polices from the existing VS
- Made sure under authentication that we had both sets of LDAP Policies to cover both domains.
That was it :).
A big help was being able to debug what the NS was doing when querying the DCs to see what was working and what wasn’t. To do that we SSH’d to the Netscaler in question and entered shell then cat /tmp/aaad.debug