Tag: NetScaler Page 1 of 3

Citrix ADC, LDAP Test Fails

After Citrix implemented the security of ns.conf with the KEK keys I have notices that the “Test Network connectivity” through an error in the GUI:

Well, how do we the test the LDAP configuration and connection?

This can be done by the CLI, in shell mode 😊

From the shell mode you can run the following command to test the LDAP configuration:

ldapsearch -b “DC=contoso,DC=com” -D “user1@contoso.com” -h -p 389 -w “Password1”

If your username and password are not valid you will get something like this:

If there are connection to a Domain Controller and username and password are valid you will receive information of the users in the Active Directory.

So, we can use the CLI shell mode to test the LDAP connection and validate the username and password. But there is one problem. To test we need to type the password in clear text. In my blog “NetScaler CLI, Watch Out” I wrote about the “history” of the CLI commands and that password in clear text are stored until the Citrix ADC is rebooted.

We have the same problem when we test the LDAP connection when using CLI in shell mode. If I run the “history” command I get this:

It is therefore my recommendation that you create a temporary user account on the Citrix ADC. Then run the command to test the LDAP. And finally remove the temporary user account.

By doing this the password for the LDAP users can not be accessed through the “history” command.

Citrix ADC, Storefront SSO

With the release of Citrix ADC 13.0 build 64.35, Citrix have made some change to the “Single Sign-on to Web Application” in the Session Profiles:

This is new and can affect the SSO to Citrix Storefront. In my test environment after upgrading to 13.0 build 64.35 I got this error when logging in to the Access Gateway:

 There were no errors in the event viewer of the Storefront Server to help me.

In the release note for ADC 13.0 build 64.35 Citrix state, the flowing:

Title: Support to disable the weak Basic, Digest, and NTLM authentication globally

The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication

– Digest Access Authentication

– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

[ NSAUTH-7747 ]

I got my test environment to work with a simple traffic profile and traffic policy.

Traffic profile:

Traffic policy:

Just bind the policy to the Access Gateway, and you will not get the Storefront error, 😊

CLI commands:

add vpn trafficAction traf_prof_sf_sso http -SSO ON

add vpn trafficPolicy traf_pol_sf_sso true traf_prof_sf_sso

bind vpn vserver <NAME> -policy traf_pol_sf_sso -priority 100 -gotoPriorityExpression END -type REQUEST

Citrix ADC, Integrated caching

Do the Citrix ADC cache. O yes it does, even when the feature is not licensed. This can give some funny trouble shooting issues.

I resent have some problems about the logon page to an Access Gateway function. After a change in the logon page code, the client still gets the old look.

To check if your Citrix ADC is caching anything use this command:

As you can se the Citrix ADC is caching loginstatcobjects, but the feature is not licensed !!!!

If you run this, you will get a static of the caching function on the Citrix ADC:

The good is that you can disable this build in cache of loginstatcobjects. You can do this by running this command:

And to check that it is set:

I took me a while to find that is was the caching function that give me the strange behavior, as the function was not licensed, and I never thought that is could be enabled by default. I hope this can help others.

Citrix ADC, Partition, Radius

This blog is from a lesson learned in the field. I have done a normal upgrade from 11.1 to 12.1 on a Citrix ADC HA pair. After the upgrade users complained that they get an error when logging in to some Web sites that where protected by a Security Server on the ADC.

We found that the sites where all located in a Partition on the ADC.

LDAP test run without any error.

Radius test give this error:

Ok, the problem where with the MFA Radius authentication.

To debug I run a nstrace from the partition:

  • switch partition radius_test
  • start nstrace -size 0 -filter CONNECTION.PORT.EQ(1812)
    • Did the Radius test and got the error again
  • stop nstrace

But there where no trace files in /var/partition/radius_test/nstrace. I did this again but still no trace files.

What was going on???????

After some more debugging I did a trace on Default partition, and now I got some data in my trace:

But the request was coming from the NSIP and not from the SNIP in the partition. Do to Firewall configuration the Radius server could not be accessed this way.

It turns out that the Radius test is done from the default partition. You can’t use the test with in at partition as the request is not send from the source address you think.

I later found this in ns.log:

The learned lesson is that if you use Partitions, you can not relay on the Radius test function, as this may not give you a correct response, do to the way traffic is going out of the ADC.

We found a bug in ADC 12.1 build 55.18. Challenge-Response Radius request from a Partition got stuck at the ADC, and the users never received their token, and where not prompted for it.

As the ADC 11.1 build 63.15 had the same bug from default partition, we ended up with a total rollback, and is now waiting for Citrix to fix this.

Citrix ADC, User Certificate Authentication

Once again, a was struggling to get User Certificate Authentication to work, until I suddenly remembered why:

You cannot put your Certification Authentication Virtual Server behind a Content Switching Virtual Server.

You can, but then you must enable Client Authentication on the Content Switching Virtual Server, and as this often have a lot of other web sites configured all of them will have Client Authentication enabled.

The reason for this is that when you use Content Switching Virtual Server the SSL session is established to this and the you need Client Authentication configured here.

So, if you have a special web site that you need to protect with Client Authentication you need a direct accessible Authentication Virtual Server.

Let me show the configuration I ended up with:

Create an Authentication Virtual Server:

Bind your public certificate and your root ca certificate:

For test a use a local user account, but this is normal an Active Directory account:

Then add the Certificate Authentication policy:

You will end up with 2 primary authentication policies:

Change the SSL Parameters so that Client Authentication is enabled:

Now create the Load Balancing Virtual Server and enable Authentication on this:

That is, it, and when we test, we will get this.

When testing with a user that have no certificate the site will close the connection:

And testing with a user that have a certificate the user is prompted for the certificate to use:

After selected the certificate, the user is redirected to the Authentication Virtual Server for logon:


You can use User certificates when protecting web sites with authentication. Just remember that the authentication virtual server can often not be behind a content switching server as this will enable user certification on all web site configured on the content switching server.

Page 1 of 3

Powered by WordPress & Theme by Anders Norén