Jump to content
Welcome to our new Citrix community!

nFactor AD Group Extraction


Recommended Posts


I'm trying to configure nFactor with AD Group Extraction.   Scenario is as follows:


  • if user is a normal user of a specific domain, then next would be for DUO Authentication (currently working)
  • if user is using an admin user which is a member of a specific group then allow access NOT using DUO ( not working, error indicating no duo account)


having issues with the nfactor policy for AD Group extraction


Any help would be appreciated.


BTW I've referenced: 








2022-11-10_11-39-33.pdf 2022-11-10_11-40-00.pdf 2022-11-10_11-40-16.pdf

Link to comment
Share on other sites

This is a simple example of having users start with user name and then based on group membership do two factor for some and single factor for others:  https://support.citrix.com/article/CTX220793/nfactor-dual-factor-authentication-with-selective-authentication-factors-based-on-active-directory-group-membership


But the first thing you can do is make sure your group Extraction works, by simplifying test, attempt AD if member of GroupA and then change to testing if member of GroupB.

That way you can identify is this a group extraction issue OR an issue with your nfactor configuration.


Without info on how you've configured it, its hard to provide more info.


Standard Group Extraction Considerations:

  • Be sure the ldap policy is retrieving the "memberOf" parameter.   
  • Determine whether you are doing nested group extraction or not.
  • Be sure the AAA Group(s) defined on the ADC are the same exact name as the group names in AD. (Pre 11 this include case-sensitive names; shouldn't matter now.)

Other things to verify:

  • Remember, the group extraction does not retrieve the Domain Users group.
  • If your LDAP policy includes a search filter, it may change the accounts/groups retrieved.
  • You can confirm the GROUP membership returned by AD by viewing the authentication attempt in the aaad.debug named pipe to make sure the list of Groups retrieved from AD confirms what the group(s) you expect and the right groups are defined on the ADC.


cd /tmp

cat aaad.debug

(view output while you perform a logon attempt for a user from each of the groups you are testing)



Try performing the ldap/duo and the ldap only authentication in isolated tests, just to make sure they work individually.

Then try to perform them based on the group membership only (again to make sure they work individually).


Once you confirm the pieces work, then you can diagnose what is actually wrong with the nfactor config. But for this you may need to to summarize your policy and bindings.


Also:  You can view the aaad.debug log to see if the expected authentication events are firing for your current nfactor test before you troubleshoot and see if there is a different issue occurring for your admin group. (Note: aaad.debug is a named pipe and not an actual log file; you can use cat to observe the events as they are generated, it doesn't log past events.)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...