Archive

Posts Tagged ‘LDAP’

How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

April 18, 2013 1 comment

Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:

How do you know which policy that is hit when your different Receivers are logging in?

Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:

AG_vServer_VIP

But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?

First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:

cat /tmp/aaad.debug

When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:

aaad_debug_output

At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.

Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:

nsconmsg -d current -g pol_hits

This is the output when I access using my Receiver on OS X:

nsconmsg_policy_hit

Read more…

Categories: Access Gateway, All, Citrix, NetScaler, Receiver, StoreFront Tags: , , , , , , , , , , , , , , , , , , ,

#Citrix #AppController 2.5 Implementation Tips – #CloudGateway, #BYOD

February 19, 2013 Leave a comment

Great blog post by Matthew Brooks!

AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications.  Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links.  Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).

System Related

Including settings such as the Hostname, SSL certificates, and Restore.

TIPs:

  • Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
  • The hostname cannot contain special characters in the AppController certificate signing request.
  • The hostname must match SSL certificate.
  • The system cert must be chained to its CA/(s).

Active Directory Related

Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.

TIPs:

  • The AppController only supports integration with a single domain.  Multiple domains require multiple AppControllers.  The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups.  See CTX116169 for more informationhttp://support.citrix.com/article/CTX116169
  • All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications.  The bind Administrator account must also have email address configured or directory integration will fail.
  • Only LDAP (TCP 389) may be configured through the wizard that must be completed initially.  Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
  • If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail.  Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services.  See CTX135092 for more information http://support.citrix.com/article/CTX135092

Network Related

Including settings such as the IP address, @Workweb and NTP server.

TIPs:

  • Use IP private addresses as system addresses if possible.  When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses.  If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController.  See NetScaler Traffic Management document for more information.
  • NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
  • When Trust Settings are configured for NetScaler Access…

Continue reading here!

//Richard

Categories: All, Citrix, CloudGateway Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
%d bloggers like this: