Protected user authentication
The “Protected Users” security group in Active Directory enforces strict security policies for the members of this group. These policies are designed to protect privileged accounts (for example, domain admins) by enforcing stricter authentication methods.
Starting with NetScaler release 14.1 build 47.x, you can configure user authentication for LDAP users belonging to the “Protected Users” group in the Active Directory.
Important:
Disable the Do not require Kerberos preauthentication setting from account properties for Protected Users in Active Directory. NetScaler uses Kerberos authentication to authenticate Protected Users.
To configure protected user authentication by using the CLI
We recommend the following steps to configure protected user authentication using protectedUserAction:
-
Extract group information from Active Directory using
ldapAction.add authentication ldapAction ldap_group_extraction -serverIP <Ip address> -ldapBase <> -ldapBindDn <admin_user> -ldapBindDnPassword <password> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -authentication DISABLED <!--NeedCopy-->Note:
If a cloned “Protected Users” group is used instead of the default security “Protected Users” group, ensure that the custom group is extracted through group extraction in the
ldapAction. -
Check whether the user is a protected user or not.
add authentication Policy check_protected_user -rule "AAA.USER.IS_MEMBER_OF(\"Protected Users\")" -action <protectedUserAction> <!--NeedCopy--> -
Configure
protectedUserActionfor users in the “Protected Users” group.add authentication protectedUserAction protectedUser -realmStr <AAA.LOCAL> -maxConcurrentUsers <8> <!--NeedCopy-->In the preceding command:
-
realmStr: Specifies the domain to which the user belongs. This parameter is mandatory. -
maxConcurrentUsers: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.
Note:
The
realmStrparameter in the configuredprotectedUserActioncommand overrides any realm specified in the user input.Example 1:
Configured
protectedUserActioncommand:add authentication protectedUserAction <name> -realmStr AAA.LOCALInput username:
aaa.local1\userUser realm considered is
AAA.LOCALas specified inrealmStrparameter and notaaa.local1.Example 2:
Configured
protectedUserActioncommand:add authentication protectedUserAction <name> -realmStr AAA.LOCALInput username:
user@aaa.local1User realm considered is
AAA.LOCALas specified inrealmStrparameter and notaaa.local1. -
To configure protected user authentication by using the GUI
-
Configure the LDAP group extraction to extract the users in the “Protected Users” group. For more information, see Create an LDAP Authentication Action using the GUI.
-
Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > PROTECTED USER and click Add.
-
In the Protected User Actions page, enter values for the following parameters:
-
Name: Name for the protected user authentication. This parameter is mandatory.
-
Kerberos Realm: Domain to which the user belongs. This parameter is mandatory.
-
Max Concurrent Users: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.
-
-
Click Create.
