As a Citrix Consultant implementing AGEE, I am often asked how to secure the connection from Netscaler/AGEE to LDAP. By default when you authenticate from Netscaler/AGEE to AD it is on port 389 using plain text as shown below:
If you look at your domain controller you will see a 389 and probably a 636 port open and running but you will not be able to access the 636 (LDAPS) without:
- A certificate.
- Setting up a CA trust that is detailed below in Chris Towles article http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html describing how to install a Certificate Authority
Once that is done however, there are still a few items to take care of. You will have to import the certificate root into Netscaler in order to make a successful LDAPS connection. In order to do this you will need to open the certificate store by using MMC and selecting certificates. Then find the CA in the personal store on your CA authority server and click other tasks-export as shown below:
When exporting, make sure you choose Base-64 and store in a place that is easy to find.
Next, you will want to import this into your Netscaler environment. Open Netscaler console and navigate to SSL-Certificates area. Select install and you will see a box similar to below.
The Certificate-Key Pair name needs to be unique in the Netscaler and can be any descriptive name. The Private key file name will be the one shown in the top red circle /nsconfig/ssl/Key.crt. You can also browse to it by clicking the browse (Appliance) button. Next, you will need to supply the certificate file name and you will need to change the browse appliance to browse local and locate the certificate you saved earlier. The final step would be to click on the install button to install the root CA certificate.
Next step is to verify that the certificate pair is working by going to Access Gateway-Policies-Authentication. Find your LDAP server in the servers area and open it up. Change the Security Type to SSL and make sure the port # shows 636 and click on Retrieve Attributes. If everything is working you should see the following response:
Note that once this is working you can also check the Allow Password Change since this is one benefit of putting in LDAPS and you cannot change passwords without it. The real test of course is to then attempt a real login to make sure that it passes correctly.
If you are not able to get this to work then you can putty into the Netscaler and to go the /ETC/ directory and do cat aaaa.debug and then try to log in again. This will tell you if it is working or failing and can give you some hints as to why it is failing.