Jump to content
Welcome to our new Citrix community!

AAA content switch with multiple domains

Recommended Posts

So I have been fighting this for a few days and just cant seem to find a way to do what I want.  Documentation out there hints that this is possible but does not give instructions on how to make it work for my use case.


What i want to do is have 1 content switch for AAA.  Behind that content switch, I need to be able to authenticate users to multiple domains depending on which URL they are going to.  For example.  If user goes to corp.company.com i need them to auth against the corp domain.  If they go to store.company.com, I need them to authenticate with the store domain.  Users may have usernames and password that match in both domains so I don't want to do a loop, I would rather tell the netscaler what domain (LDAP Policy) they need to use.


I have tried multiple ways to get this to work but have been unsuccessful.  Is there anyone out there that has done something similar to this?

Link to comment
Share on other sites

Thanks Carl.  I just tried that and was unsuccessful.  I get a no active policy error when logging in.  It's like the AAA server does not know where the auth request came from so is not matching up to any defined policy.  I have also been trying to get this to work with cookies as you mentioned in one of your blogs but run into similar problem.  From what i can see, the LB VIP redirects to the AAA VIP but the AAA is not seeing where it came from or the cookies that were set from the auth policy so I am unable to key off that information in the LDAP policy.  


This is NetScaler 11.1 with 1 CS for AAA and all the other services i am trying to get working.

Link to comment
Share on other sites

Well, looks like I got it working.  Not the way I would prefer but its working.


What i ended up doing is AAA using authentication profiles, 1 for each domain, both pointing to the same AAA server.  When I did this I noticed in the fiddler traces that a new cookie value for NSC_TMAP matches the name of the authentication profile I used.  I then wrote an advanced auth policy for each domain to use separate LDAP Servers.


Authpol_store > HTTP.REQ.HEADER("Cookie").CONTAINS("corp") > action Store_LDAPS

Authpol_corp >  HTTP.REQ.HEADER("Cookie").CONTAINS("store") > action Corp_LDAPS


Now I am authenticating to the appropriate domain depending on the LB server i hit.  One of the domains is not working with SSO as I am getting prompted by the web application, but at least i am now hitting the correct LDAP servers.  No on to figure out why SSO is not working.
Link to comment
Share on other sites

  • 2 years later...

Is there anyone who got this working without using the cookies? Are there other options?

I got some vservers with authentication policies binded to them, but when using content switching in front of them the AAA vserver doesn't recognise the original URL to match the expression in the authentication policy.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...