Jump to content
Welcome to our new Citrix community!

LDAPs policies and Session Policies for Access Gateway


Recommended Posts

We are looking at adding additional functionality for users to sign on to AGEE using either their "old" samAccountName or their UserPrincipalName.

 

We have created 2 LAPDs servers with the only difference being to the "Server Logon Name Attribute" - therefore ldaps_svr_sam is configured with "samAccountName" and ldaps_svr_upn is configured with "UserPrincipalName".

 

We have created Advanced LDAP Policies for these where it checks for the existence of Citrix Receiver and whether the logon user contained our mylab

 

HTTP.REQ.USER.LOGIN_NAME.CONTAINS("mylab") && HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

 

All looks good, however it seems Access Gateway only excepts Basic Authentication Policies. There is an option for Advanced Policies, but seems limited to SAML IDP only!!!

 

Access Gateway

Basic Policy -> LDAP

100 - authpol_ldaps_upn

110 - authpol_ldaps_sam

 

Is there a way to achieve this using Basic Policies ? I have read https://support.citrix.com/article/CTX207284 which talks about exactly what we want to do, but NOT how each policy would then be triggered. We cant use something like ns_true, as that would be valid for all, and I have tried to use the same command as our Advanced Policy and it reports back "Invalid Rule"

 

https://support.citrix.com/article/CTX200261 - discusses extracting out user information from the signed on user, but again unless the Policy Expression can confirm/deny the policy order, I can't see how it will then go down the priority order list to match the correct LDAP server profile to reference??

 

 

Question.

So what does the Regular Expression for the Basic Policy authpol_ldaps_upn need to contain to validate whether a firstname.lastname@mylab.net user has signed on ? and if the user name did not contain mylab then it will go to the next policy in the list authpol_ldaps_sam and validate the user (assumption being it was samAccountName) - or maybe add in some intelligence?

 

I'm sure I am missing something easy, but without the means of undertaking user lookups in Basic policies or a way of having AGEE use Advanced LDAP policies I'm struggling to achieve what should be a simple change.

 

Obviously once the LDAPs polices are validated, we then need to undertake similar validation for the Session policies as these will have different profile settings if the user is UPN or SAM, but I'm expecting to be able to duplicate the same settings as used for LDAPs.

 

Thanx in advance

Link to comment
Share on other sites

1) To integrate the GAteway authentication with the advanced policy engine, you have to integrate Gateway with AAA (aka an authentication vserver) and the authentication vserver does the advanced authentication policy flow.

 

2) It technically could be done in basic policies (but they are deprecated after 13.1 and later so you would have to change soon anyway) and its done as a policy cascade with UPN attempted first and then the classic engine next and you run the risk of a password lock if you try multiple times OR using the old style classic engine drop down list to sort between UPN vs. saml during sign on.  Which, again, due to classic engine deprecation I wouldn't recommend even going down that path.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...