Jump to content
Welcome to our new Citrix community!

LDAP MGMT authentication errors


Recommended Posts



I add LDAP authentication to the management but this slowly driving me crazy. I implement this with following commands


add authentication ldapAction AA_Citrix-Admins -serverIP -serverPort 636 -ldapBase "dc=lab,dc=lcl" -ldapBindDn browseldap@lab.lcl -ldapBindDnPassword Pa$$w0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=Citrix_Admins,OU=Domain Groups,DC=lab,DC=lcl" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication ldapPolicy AP_Citrix-Admins ns_true AA_Citrix-Admins
add system group SG_Citrix-Admins -timeout 900
bind system group SG_Citrix-Admins -policyName superuser 100
bind system global AP_Citrix-Admins -priority 100


And shortly after the logon i got those messages.


2 error(s) encountered.
Not authorized to execute this command [show ns license]
Not authorized to execute this command [show ns feature]


And with every click to a menu I got this one.


Not authorized to execute this command [show ns config]


Any ideas to find the issue?




Link to comment
Share on other sites

Remember, the search filter constrains which accounts are valid from any account in the domain, to only accounts in the search criteria. If using a filter based on Container, then the user account AND the group it belongs to has to be in that container, not just the group.



Try removing the search filter during the initial test and make sure your AD groups distinguished name in AD is the actual system group (or AAA group name) that you used on the NetScaler. Make sure your not comparing a display name from AD with the group name on NetScaler.


If it works without the search filter, then this says the search filter is wrong and the group name/user accounts are in the domain.

If it still doesn't work without the search filter either, then you have the group name wron on the NetScaler OR there is something with your connection to AD, bind dn, or bind dn credentials.


Troubleshoot 2:  use the Authentication Dashboard (Left pane of NetScaler: Authentication node below NS Gateway node at bottom of left navigation pane). This can usually show overt connectivity issues.


Troubleshoot 3:  use aaad.debug to look at the authentication events and this may help you find group extraction or other issues.

Link to comment
Share on other sites

  • 1 year later...


This topic is now archived and is closed to further replies.

  • Create New...