The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!
You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:
- Internal Root & Intermediate certification to instal on Netscaler
- Do not forget to bind them together (Root & intermediate)
- Which username does the user use to log in? (UserPrincipalName, other?)
- Is this username present on the certificate?
- An Ip address (public) with its A record (public) for the vserver AAA provided for the authentification by certificate.
- The authentification by LDAP has already been configured? If no, start from there 🙂
- Finally, if you do your authentification with the UserPrincipalName for the certificate and you ask for SamAccountName in the LDAP, this won’t work. Therefore, it is possible that you will have to configure a specific policy for the LDAP so that it logs in with the right field.
Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.
Security - AAA - Policies > Authentication - Basic Policies - CERT
Create a new server with value :
Two Factor = On User Name Field = Needs to correspond to the username present in the certificate
Create a simple policy :
Server = the server's name used before Expression = ns_true
Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.
Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.
Single Sign On = On Enable Persistent Cookie = Check (validate that you need them).
The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.
1 – The bind of LDAP and CERT :
They must be both configured in primary (CERT and LDAP) but with different priorities : CERT = 100 LDAP1 = 110 LDAP2 = 120
2 – The root certificate bound to the AAA vserver :
In the CA Certificate part. Your root certificate must be bound at this place.
3 – The process to get the certificate for authentification :
Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.
Do not forget to configure the Client Certificate field in the SSL Parameters .
Client Certificate = Mandatory
If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.
For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :
shell cat /tmp/aaaa.debug