In a Netscaler project I came to a requirement, to check if an user is member of an specific Active Directory group before the request is forwarded to the load balancing vServer. The customer has multiple lb vservers, which are protected by an simple AAA authentication server. The authentication domain was set to the top level domain, e.g. 

The following subdomains are representing the other applications:


In our example all users are allowed to browse to jira and documentcenter, but for access the sharepoint server users must be member of the group „Group_Sharepoint_Access“. If a user is not member of this group a short error message should be displayed, which was done with a simple responder:

This policy and action could be replicated as often as needed and will be bound to the respective vserver:



2 Thoughts to “Netscaler – AD Group permission check on vserver level”

  1. Hi Marco,
    I have tried exactly the same, but used AAA.USER.IS_MEMBER_OF(myadgroup) expression instead. Bound Responder Policy on LB vserver, but it does not get a hit (Group extraction string in aaa.debug shows the ad group i try to check for.
    Do you have an idea why it is not working (NS

    1. Hi Ueli,
      Are you using nFactor on your AAA server or Basic Auth?

      BR Marco

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.