Certificate authentication with AAA vserver

The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!

You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:

  1. Internal Root & Intermediate certification must be install on the Netscaler
  2. Do not forget to link them together (Root & Intermediate)
  3. Which username does the user use to log in? (e.g. : UserPrincipalName, samAccountName)
  4. Is this username present on the certificate?
  5. An IP address (public) with its A record (Public) for the AAA vserver provided for the authentification by certificate.
  6. The authentification by LDAP has already been configured? If not, start from there 🙂
  7. Finally, if you do your authentification with the UserPrincipalName for the certificate and you ask for SamAccountName in the LDAP, this won’t work. Therefore, it is possible that you will have to configure a specific policy for the LDAP so that it logs in with the right field.

Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.

Security - AAA - Policies > Authentication - Basic Policies - CERT

Create a new server with value :

Two Factor = On
User Name Field = Needs to correspond to the username present in the certificate

Create a simple policy :

Server = the server's name used before
Expression = ns_true

Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.

Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.

Single Sign On = On
Enable Persistent Cookie = Check (validate that you need them).


The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.

1 – The bind of LDAP and CERT :

They must be both configured in primary (CERT and LDAP) but with different priorities :
CERT = 100
LDAP1 = 110
LDAP2 = 120

2 – The root certificate bound to the AAA vserver :

In the CA Certificate part. Your root certificate must be bound at this place.

3 – The process to get the certificate for authentification :

Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.

Do not forget to configure the Client Certificate field in the SSL Parameters .

Client Certificate = Mandatory

Screen Shot 2015-04-21 at 00.24.15

If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.

Screen Shot 2015-04-21 at 00.22.24

For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :

cat /tmp/aaaa.debug