NetScaler VPX – Multiple Domains

Well over the last 12 months I have been having a rapid learning curve on the extremely good Citrix NetScaler VPX appliances. Recently we had deployed a GSLB configuration to support multi-site Citrix XenApp and XenDesktop deployments (will post more on this later). This was initially just to support a single domain, which  is relatively straight forward in terms of authentication and session policies.

It turned out we actually had to support two domains (and possibly more in future). Up to this point we had a virtual server that had the session policies applied and the necessary LDAP policies (which had the LDAP AD Servers we were querying).

So to support multiple domains we did the following:-

  • Created a group in each AD domain to reference the users that are allowed access
  • Created a group under Access Gateway\Groups matching the name of the groups created in each AD domain
  • Created new LDAP Servers and Polices for the new new domain. To support a unique logons the new LDAP servers had the “Server Logon name Attribute” and “SSO Name Attribute” set to “UserPrincipalName”
  • We left the existing domain to be samAccountName so existing users didn’t have to remember to add the @Domain suffix.
  • On both existing and new domain LDAP servers we added search filters for the groups “memberOf=CN=GROUPNAME,OU=OUNAME,DC=Domain,DC=DomainSuffix” 
  • On all LDAP Servers we also added Nested Group Extraction, as we used domain users on the existing domain (and wanted to maintain that for the time being)

  • Created a new session polices for the new domain. Copied the existing one and changed the SSO Domain to the new domain. On each session profile we also used Authorization Groups under Security/Advanced matching the local groups created on the NS (a 9.2+ Feature)

  • Under each group created on the NS add a session policy created above
  • Remove the Session Polices from the existing VS
  • Made sure under authentication that we had both sets of LDAP Policies to cover both domains.

That was it :).

A big help was being able to debug what the NS was doing when querying the DCs to see what was working and what wasn’t. To do that we SSH’d to the Netscaler in question and entered shell then cat /tmp/aaad.debug

Usefull Links


One thought on “NetScaler VPX – Multiple Domains

  1. Thank you!!! You just saved me a ton of reading to do this. I couldn’t get nesting to work but I’m sure it’s me. If I add the user to the main group it’s fine and you had the same situation I did. I might expand your post and reference you on my blog. Thanks for posting this!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s