In a Netscaler project I came to a requirement, to check if an user is member of an specific Active Directory group before the request is forwarded to the load balancing vServer. The customer has multiple lb vservers, which are protected by an simple AAA authentication server. The authentication domain was set to the top level domain, e.g. fabric.com.
The following subdomains are representing the other applications:
- sharepoint.fabric.com
- jira.fabric.com
- documentcenter.fabric.com
In our example all users are allowed to browse to jira and documentcenter, but for access the sharepoint server users must be member of the group „Group_Sharepoint_Access“. If a user is not member of this group a short error message should be displayed, which was done with a simple responder:
add responder action res-act-lbcs-default respondwith q{"HTTP/1.0 200 OK" +"\r\n\r\n" + "<html><body><strong>The requested page was not found</strong><br />We regret the inconvenience.<br />Please use the search function on our homepage or contact our Customer Support to get specific information.</div></body></html>" + "\r\n"}
add responder policy res-pol-groupcheck "!HTTP.REQ.USER.IS_MEMBER_OF(\"Group_SharePoint_Access\")" res-act-lbcs-default
This policy and action could be replicated as often as needed and will be bound to the respective vserver:
bind lb vserver lbcs-sharepoint -policyName res-pol-groupcheck -priority 100 -gotoPriorityExpression END -type REQUEST
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).
Hi Marco,
I have tried exactly the same, but used AAA.USER.IS_MEMBER_OF(myadgroup) expression instead. Bound Responder Policy on LB vserver, but it does not get a hit (Group extraction string in aaa.debug shows the ad group i try to check for.
Do you have an idea why it is not working (NS 12.1.55.18)
Hi Ueli,
Are you using nFactor on your AAA server or Basic Auth?
BR Marco