The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!

You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:

  1. Internal Root & Intermediate certification must be install on the Netscaler
  2. Do not forget to link them together (Root & Intermediate)
  3. Which username does the user use to log in? (e.g. : UserPrincipalName, samAccountName)
  4. Is this username present on the certificate?
  5. An IP address (public) with its A record (Public) for the AAA vserver provided for the authentification by certificate.
  6. The authentification by LDAP has already been configured? If not, start from there 🙂
  7. Finally, if you do your authentification with the UserPrincipalName for the certificate and you ask for SamAccountName in the LDAP, this won’t work. Therefore, it is possible that you will have to configure a specific policy for the LDAP so that it logs in with the right field.

Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.

Create a new server with value :

Create a simple policy :

Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.

Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.

 

The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.

1 – The bind of LDAP and CERT :

2 – The root certificate bound to the AAA vserver :

3 – The process to get the certificate for authentification :

Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.

Do not forget to configure the Client Certificate field in the SSL Parameters .

Screen Shot 2015-04-21 at 00.24.15

If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.

Screen Shot 2015-04-21 at 00.22.24

For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :