ADC

Protected user authentication

December 3, 2025

Contributed by:

The “Protected Users” security group in Active Directory enforces strict security policies for the members of this group. These policies are designed to protect privileged accounts (for example, domain admins) by enforcing stricter authentication methods.

Starting with NetScaler release 14.1 build 47.x, you can configure user authentication for LDAP users belonging to the “Protected Users” group in the Active Directory. For sample configuration of protected user authentication, see Configure protected user as an authentication factor in NetScaler nFactor authentication.

Important:

Disable the Do not require Kerberos preauthentication setting from account properties for Protected Users in Active Directory. NetScaler uses Kerberos authentication to authenticate Protected Users.

To configure protected user authentication by using the CLI

At the command prompt, type:

add authentication protectedUserAction protectedUser -realmStr <AAA.LOCAL> -maxConcurrentUsers <8>
<!--NeedCopy-->

In the preceding command:

realmStr: Specifies the domain to which the user belongs. This parameter is mandatory.
maxConcurrentUsers: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.

Example:

If the protected user belongs to realm aaa.local1, then that realm must be mentioned as part of realmStr parameter as follows:

add authentication protectedUserAction <name> -realmStr aaa.local1

To configure protected user authentication by using the GUI

Configure the LDAP group extraction to extract the users in the “Protected Users” group. For more information, see Create an LDAP Authentication Action using the GUI.
Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > PROTECTED USER and click Add.
In the Protected User Actions page, enter values for the following parameters:
- Name: Name for the protected user authentication. This parameter is mandatory.
- Kerberos Realm: Domain to which the user belongs. This parameter is mandatory.
- Max Concurrent Users: Limits the number of concurrent authentication requests to prevent DDoS attacks. This parameter is optional. Default value: 8.
Click Create.

Protected user authentication

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Protected user authentication

December 3, 2025

Contributed by:

December 3, 2025

Contributed by:

Protected user authentication

To configure protected user authentication by using the CLI

To configure protected user authentication by using the GUI

In this article