Jump to content
Welcome to our new Citrix community!

Recommended Posts

Evening,

 

I am looking to implement nFactor authentication on NetScaler, but I need to support multi-domain.  So i could have users in domain1.co.uk and users in domain2.org.  The users are loaded in a Parent/Child AD domain so trust is not an issue.  I am thinking UPN logons rather than SAMAccountName.  I've been playing with nFactor authentication the last couple of days so I can use the Google Authenticator (it's free).

 

I think I'm going to need multiple session profiles for each domain as each will be going to a different StoreFront store - I'm just trying to work out in my head how I'm going to hang it all together...

 

If any one could point me in the right direction. (I've been using http://www.jgspiers.com/netscaler-native-otp/ - George Spiers, and the various guides from Carl Stalhood)

 

Thanks

Simon

Link to comment
Share on other sites

You have multiple options.  You could even have the end-user select their domain from a drop-down, write a cookie, and base your session policies on that.  That is a little old school, but your scenario seems solid and should be possible.  For example user1 enters their username and selects the "UPN" portion of their account from a drop down.  That writes a cookie and the NS reads the cookie to determine which AD to search for the user account.  This would leave the policy at SAMAccountname and would require a cookie.  Again, that is old school.  New school would be using something like http.req.user.attribute or http.req.user.name contains "domain1" to pull the specific domain you want and then making a policy based decision.  See here: https://support.citrix.com/article/CTX200261 and here: https://support.citrix.com/article/CTX200342 

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

You want to specify 'Default group' ("FakeGroupDomainA" for example) in the LDAP server profile, and then use HTTP.REQ.USER.MEMBEROF("FakeGroupDomainA") in the session policy to apply the correct session policy depending on which sub domain the user authenticated against (so you have the LDAP policies for each sub domain, in cascading list).If your Netscaler version doesn't support Advanced Expressions in session policy then you need to create an AAA group named "FakeGroupDomainA" and bind the session policy to it.

Link to comment
Share on other sites

  • 1 year later...

Hi Simon,

i set up One Time Password ADC (Netscaler) with Google Authenticator , but i have to set  nFactor for  Multiple Domains and saw your post here regarding what i am about to execute. I did not find any Infos on the Citrix documentation on how to go about this. Incase, you find a way of of resolving your issue. Could you be Kind enough to give me a tipp or how you go about it. Thanks. Felix

Link to comment
Share on other sites

Hi 

 

have a look at this article

 

https://netscalerrocks.com/netscaler/n-factor-native-otp-with-multiple-domains-on-the-same-portal/

 

Also, as the domains are trusted, why bother with multiple StoreFront servers? A single StoreFront with multiple stores is more efficient and no need for fancy expressions for directing data flow. Just use security permissions on the delivery groups

 

Regards

 

Ken Z

Link to comment
Share on other sites

Felix

 

Do you have multiple Session policies enabled on the NetScaler for the different domains? These would need to go to different StoreFront Stores. i.e.

 

Session Policy one would have domain1 encoded, and redirect to Store1 on StoreFront which would have a default domain set to domain1

Session Policy two would have domain2 encoded, and redirect to Store2 on StoreFront which would have a default domain set to domain2

 

Each NetScaler session policy would have an expression that would call it depending on the UPN suffix as per the article i linked in above

 

Regards

 

Ken Z

Edited by kzygmun399
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...