ADC

Protected user authentication

The “Protected Users” security group in Active Directory enforces strict security policies for the members of this group. These policies are designed to protect privileged accounts (for example, domain admins) by enforcing stricter authentication methods.

Starting with NetScaler release 14.1 build 47.x, you can configure user authentication for LDAP users belonging to the “Protected Users” group in the Active Directory.

Important:

Disable the Do not require Kerberos preauthentication setting from account properties for Protected Users in Active Directory. NetScaler uses Kerberos authentication to authenticate Protected Users.

To configure protected user authentication by using the CLI

We recommend the following steps to configure protected user authentication using protectedUserAction:

  1. Extract group information from Active Directory using ldapAction.

    add authentication ldapAction ldap_group_extraction -serverIP <Ip address> -ldapBase <> -ldapBindDn <admin_user> -ldapBindDnPassword <password> -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -authentication DISABLED

    Note:

    If a cloned “Protected Users” group is used instead of the default security “Protected Users” group, ensure that the custom group is extracted through group extraction in the ldapAction.

  2. Check whether the user is a protected user or not.

    add authentication Policy check_protected_user -rule "AAA.USER.IS_MEMBER_OF(\"Protected Users\")" -action <protectedUserAction>
  3. Configure protectedUserAction for users in the “Protected Users” group.

    add authentication protectedUserAction protectedUser -realmStr <AAA.LOCAL> -maxConcurrentUsers <8>

    In the preceding command:

    • realmStr: Specifies the domain to which the user belongs. This parameter is mandatory.

    • maxConcurrentUsers: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.

    Note:

    The realmStr parameter in the configured protectedUserAction command overrides any realm specified in the user input.

    Example 1:

    Configured protectedUserAction command: add authentication protectedUserAction <name> -realmStr AAA.LOCAL

    Input username: aaa.local1\user

    User realm considered is AAA.LOCAL as specified in realmStr parameter and not aaa.local1.

    Example 2:

    Configured protectedUserAction command: add authentication protectedUserAction <name> -realmStr AAA.LOCAL

    Input username: user@aaa.local1

    User realm considered is AAA.LOCAL as specified in realmStr parameter and not aaa.local1.

To configure protected user authentication by using the GUI

  1. Configure the LDAP group extraction to extract the users in the “Protected Users” group. For more information, see Create an LDAP Authentication Action using the GUI.

  2. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > PROTECTED USER and click Add.

  3. In the Protected User Actions page, enter values for the following parameters:

    • Name: Name for the protected user authentication. This parameter is mandatory.

    • Kerberos Realm: Domain to which the user belongs. This parameter is mandatory.

    • Max Concurrent Users: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.

  4. Click Create.

Protected user authentication

Protected user authentication