Archive: ‘Howto’ Category

Netscaler authentication based on nested groups

2 comments November 23rd, 2012

So i needed to create an LDAP authentication policy in the Netscaler where the users are divided into different groups (DEPT1, DEPT2, DEPT3), and those groups are themselves inside a group (MAINGRP). So i want to authenticate the users based on nested membership in MAINGRP.

Netscaler LDAP dialogue

Normally without nested groups you would use a LDAP filter with something like this:


Which would return a result to the Netscaler if the user were a member of that group.

But how would you go about if your user is in a nested group? Then you also need to find out if one of the groups the user is a member of is itself a member of the specified group. My first thought was to use the nested groups feature in the Netscaler LDAP auth dialogue. So I configured it to use 2 nested levels and the same kind of filter here as on the user. Sadly this didnt work, it turns out that the nested groups part is ONLY for authorization and not authentication. What this means is on the first part the user authenticates and if you have a filter it returns whatever you configured your filter to return. If it doesnt return anything, like a group, your not allowed to login. Once this is done the Netscaler will use the returned result and pars through it and do additional LDAP querys to find the nested groups, and by then the user is already authenticated. The result from the nested groups parsing is then passed on to whatever logic you have in AAA or session policys to do with what you want for authorization.

This meant that in order to use nested groups for authentication i needed to extract the nested group in the first filter and this is how you would do that:


By using something called OID in the LDAP query you will make LDAP do the parsing of the nested groups and return a result if it finds the group you are looking for.

from Microsoft Technet:

1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN This rule is limited to filters that apply to the DN. This is a special “extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

And there you go!

HOWTO: Remove Favorites from Explorer Folder View

No comments October 14th, 2010

This is how you remove the Favorites Link in the explorer folder view:

  1. Open regedit and go to [HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]
  2. Open regedit and go to [HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]
  3. In “ShellFolder” go to ‘Attributes’ and change the value from 0xa0900100 to 0xa400100. (Or to 0xa9400100)
  4. Reboot your machine. If everything is done correctly “Favorites” should now be disabled completely when your system is rebooted.


Citrix Web Interface, CSG and Windows 2008 NLB

No comments October 19th, 2009

So i wanted to update to the new web interface from 4.6 to 5.2. I also wanted to use 2008 servers with NLB, couldn’t make it work with 4.6 and server 2003. So i took 2 new servers and did a fresh install. I got the web interfaces configured so that they worked properly, and installed Citrix Secure Gateway on each of the WI:s. Then came the fun part to get the NLB working.

To get windows NLB working at all, all the servers has to be on the same subnet and there cant me more than 32 servers in the cluster.

I’m using multicast since i only have a single network card on the servers and my network infrastructure supports it, which many different routers aren’t, since you are having 2 mac:s on a single nic. If i had nics i would use unicast. One nic for administrating and one nic for the cluster.

And i specify the NLB address on the same subnet as the two servers. And using the default port rules which is basically saying to use nlb on all ports.

Next step is to configure the CSG, in which I’ve already has configured the basic settings, certificate, ssl and so on. But i need the change the monitoring of inbound connections where i specify the CSG to listen on the NLB address. And ofc do this on both WI/CSG servers.

And that’s it. Now i have a working NLB on my Citrix Web Interface.

On an another note i discovered i couldn’t force ssl in the IIS otherwise it gave me errors when the csg used http to fetch the web pages from the iis and then presenting them as https.