Jump to content
Welcome to our new Citrix community!

Nested group extraction done for user USER1, group string:

Recommended Posts

When running aaad.debug, I have a user failing LDAP auth with 'LDAP authentication failed (error 49): Invalid credentials'


However, in the log, my question is what is 'tagging'  or 'pulling' the AD group referenced in the 'group string'

Is the group referenced here the last group the user has been added to or just random? I noticed its not listed as the users Primary group - that is Domain Users.



 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[463]: ns_ldap_check_result 1-50218: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Tue Mar 30 10:30:13 2021
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[501]: ns_ldap_check_result 1-50218: ldap_result found expected result LDAP_RES_SEARCH_RESULT
Tue Mar 30 10:30:13 2021
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5739]: unregister_timer 1-50218: releasing timer 163583
Tue Mar 30 10:30:13 2021
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2065]: receive_ldap_group_search_event 1-50218: Nested group extraction done for user USER1, group string: Offshore_Enabled_Users





Link to comment
Share on other sites

Group extraction is usually handled by setting the attribute parameter to retrieve memberOf in the authentication ldap policy action.

Then when you look at the AAA results, you should see the user's group membership(s) be returned.

Depending on whether nested group extraction is on or off will determine if you only retrieve the groups the user is a direct member of or the groups those groups belong to.

A search filter on the authentication policy might also narrow your results.


Domain Users is not usually retrieved as a group membership.

You might want to share your ldap action for additional troubleshooting.  You can anonymize the domain name and group fields, but you may be missing a parameter or have parameters that are changing your expected results.


If the user authentication is failing, 1) is the user supplying the correct credential to the right domain.  

The group extraction is performing properly as your groups are being listed (minus the Domain Users).

The order of the groups is based on membership in AD.


You can then base authorization decisions on group membership in the AAA or VPN settings via authorization policies and/or session policies.


Authentication failures are usually caused by:

1) user has wrong credentials and/or conflict between UPN vs sAMAccountName methods in use by user login and what the authentication policy specifies.

2) If you have a different bindDN or search filter set in the authentication policy which results in the user account (maybe having correct domain credentials), but the user account is falling outside the authentication scope such as not in a the OU or Group listed in the search filter, then this can also result in a "failed authentication" instead of a "failed authorization" event (authorization happens after authentication).

3) Depending on whether you are doing gateway or nfactor, there are also authentication groups and other ways to exclude a user from a valid authentication attempt (but more info would be needed).


If authentication succeeds, you may still see denied authorization events, 

but these are related to lack of permissions being granted after the authentication completes and would not be seen as an authentication failure.


To troubleshoot:

1) is this system authentication for management or related to sslvpn (gateway) or aaa (authentication vserver) features.

2) Start with the authentication policy action and share whether you are doing classic or advanced (and using nfactor or not)





  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...