Netscaler/Citrix Access Gateway and Active Directory nested groups

In Active Directory, Citrix, Netscaler on May 11, 2012 at 21:21

If you like my content please do check out my new blog at ! 


We recently adapted RBAC based on MS Active Directory to manage our infrastructure. We already used AD groups to authenticate and authorize administrators on our Netscaler appliances,  however admins where direct members of the groups defined in the Netscalers. ( Have a look over here to see configure this )

Our new RBAC system uses nested groups – an admin is a member of a role group which is a member of a group authorizing access to a resource. Not every non-MS system is able to “understand” nested groups ( such as Cisco Ironport anti-spam appliances) so you are forced to use some sort of iterative\recursive query to make it work but luckily the Netscalers have a feature called “nested group extraction”.

You can enable nested group extraction when you define a Authentication server. After you choose LDAP as the authentication server type the option is somewhat hidden in the bottom of the dialogue window – but if you flip it open and enter:

  • The nesting level ( default is 2)
  • The group name identifier ( simply the attribute defining the unique name for the group object) which in most situations would be the samAccountName attribute
  • The group search attribute: memberOf
  • And the sub search attribute – here the documentation suggest using the common name – just as in the general server configuration

you will be able to use nested groups to authorize your administrators to perform management tasks on the Netscalers.

You could use an existing LDAP server/policy pair to achieve this – but I would strongly advise to create a separate server/policy pair. The main reason is that when you enable nested group extraction for an authentication server  all users authenticating through that policy/server pair seem to be checked for nested group memberships – even if you don’t use group membership as a factor to authorize your users to access resources…

We found out about that one the hard way – after enabling nested group extraction on our default LDAP policy/server pair certain users where unable to log onto our Citrix environment. This was caused by the fact that they were a member of a group that had “illegal characters” in their common name ( a forward slash “/”) – and with nested group extraction enabled they got an access denied message…

We solved this by using a different policy/server pair for admin authentication/authorization.

  1. Hi,

    I would like to propose the link exchange deal with your website, for mutual benefit in getting more traffic and improve search engine’s ranking, absolutely no money involve.

    We will link to you from our Fashion and Women authority site –, from its homepage’s sidebar. In return you will agree to do the same to link back to one of our client site, from your’s homepage too (sidebar, footer, or anywhere on your homepage), with our brand name Harajuku Fever.

    If you are interested, kindly reply to this email.

    Thank you,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: