In a Netscaler project I came to a requirement, to check if an user is member of an specific Active Directory group before the request is forwarded to the load balancing vServer. The customer has multiple lb vservers, which are protected by an simple AAA authentication server. The authentication domain was set to the top level domain, e.g. 

The following subdomains are representing the other applications:


In our example all users are allowed to browse to jira and documentcenter, but for access the sharepoint server users must be member of the group „Group_Sharepoint_Access“. If a user is not member of this group a short error message should be displayed, which was done with a simple responder:

add responder action res-act-lbcs-default respondwith q{"HTTP/1.0 200 OK" +"\r\n\r\n" + "<html><body><strong>The requested page was not found</strong><br />We regret the inconvenience.<br />Please use the search function on our homepage or contact our Customer Support to get specific information.</div></body></html>" + "\r\n"}
add responder policy res-pol-groupcheck "!HTTP.REQ.USER.IS_MEMBER_OF(\"Group_SharePoint_Access\")" res-act-lbcs-default

This policy and action could be replicated as often as needed and will be bound to the respective vserver:

bind lb vserver lbcs-sharepoint -policyName res-pol-groupcheck -priority 100 -gotoPriorityExpression END -type REQUEST



2 Thoughts to “Netscaler – AD Group permission check on vserver level”

  1. Hi Marco,
    I have tried exactly the same, but used AAA.USER.IS_MEMBER_OF(myadgroup) expression instead. Bound Responder Policy on LB vserver, but it does not get a hit (Group extraction string in aaa.debug shows the ad group i try to check for.
    Do you have an idea why it is not working (NS

    1. Hi Ueli,
      Are you using nFactor on your AAA server or Basic Auth?

      BR Marco

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.