Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP

The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.

This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.

For Basic Authentication Policies with LDAP:

Log into the Netscaler GUI.

Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.

Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.

For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.

Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”

Create a Name for the policy. Make the Expression in the lower box: NS_TRUE

Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.

Click “Create” on the LDAP Policy page to create the policy with the new server.

Click on “Bind” to bind the policy with the set priority.

Now you should see two LDAP policies with the same priority and different policy names.

Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.

PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.


  • No Related Posts

LDAP failure when trying to enroll from a specific delivery group

Advised to verify permissions on the service account for both the XenMobile and the NetScaler Gateway.

An Active Directory account that meets the following requirements:

At a minimum, the Bind DN account must have:

  • Read access to the user objects in the LDAP directory in order to search for user accounts.
  • Read access to the Base DN (for example, DC=abc, DC=com) with the correct attribute that is used as the LDAPLogin Name (for example, samAccountName).

In order to perform Group Extraction, which is the process of determining a user’s group membership and returning those values to NetScaler Gateway, the Bind DN account must have:

  • Read access to the group attributes in the LDAP directory.

In order to support password expiration during authentication, the Bind DN account must have read access to the following attributes in the LDAP directory

  • PwdLastSet
  • UserAccountControl
  • msDS-User-Account-Control-Computed

In order to use an alternative Single Sign-On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must have:

  • Read access is required to the particular SSO Name Attribute of interest in the LDAP directory.​

Note: You can use an account that is part of the default read-only domain controllers group in Active Directory. Check with your Active Directory Administrator for confirmation.


How to Disable Authentication on an LDAP Server and Use It Only for Group Extraction


Before disabling LDAP authentication, make sure that:

To disable LDAP authentication by using the NetScaler GUI

On the Configuration tab, do one of the following:

Navigate to System > Authentication > LDAP > Servers, select the server, click Edit, and go to step 3 of the following procedure.

User-added image


Navigate to NetScaler Gateway > Virtual Servers, select the VPN virtual server for which LDAP authentication needs to be disabled, and take the following steps.

User-added image

  1. In the Basic Authentication section, click LDAP Policy.

    User-added image

  2. Select the LDAP Policy that you want to edit, and, from the Select Action list, select Edit Server.

    User-added image

  3. Clear the Authentication check box and click OK.

    User-added image

To disable LDAP authentication by using the command line

  1. Enter the following command to disable authentication on the LDAP server:

    > set authentication ldapaction <LDAPServerName> authentication DISABLED

  2. Enter the show authentication command and verify that authentication has been disabled for the chosen LDAP server.


> sh authentication ldapaction ldapabhishek1) Name: ldapabhishekServer Name: Port: 389 Server Type: ADTimeout: 3 secs BindDn: Login: sAMAccountName Base: dc=ctxnssfb,dc=com Secure Type: PLAINTEXTPassword Change: DISABLEDGroup Attribute Name: memberOf Sub Attribute Name: CN Authentication Disabled, User requiredSuccess: 23Failures: 61Validate LDAP Server Certificate: NO LDAP Host Name:Nested Group Extraction: ON Maximum Nesting Level: 2 Group Name Identifier: cn Group Search Attribute: memberOfLDAP Referrals: OFFLDAP Referral DNSLookup : A-REC Attribute1 Name: lastLogon

Now that authentication is disabled, any LDAP authentication attempt will return an authentication success if the user is found.

User-added image


Re: Has anyone integrated EMC SCALEIO with AD/ LDAP?

HI Kireetiz,

Have you got any success in integrating EMC scaleIO with AD/LDAP ? We are facing issues in doing it. We did the configuration as per LDAP documentation of ScaleIO but it give error while trying to login via LDAP user account.

Below are some details about the configuration that we did. Please let me know you if you got the success,


User authentication method: Native and LDAP

System has 1 configured LDAP services


LDAP service ID: 67f8667100000000

LDAP service name: N/A

LDAP service URI: ldaps://,ldaps://

Users base DN: dc=unica,dc=local

User search filter: (&(objectClass=user)(sAMAccountName=<USER>)(cn=access_SIO_HOSTS,ou=Groups,dc=unica,dc=local:1.2.840.113556.1.4.1941:=<GROUP>))

LDAP service has 1 configured groups.

Role: Administrator

Group DN: CN=access_SIO_HOSTS,OU=Groups,DC=unica,DC=local



When liberty on z receives a client certificate, how to get the associated userid when security registry is SAF(MVS RACF)? No document for this scenario at the moment

Step 6:
Make sure any client certificates used for client authentication are mapped to a user identity in your registry.

For the basic registry, the user identity is the common name (CN) from the distinguished name (DN) of the certificate.

For a Lightweight Directory Access Protocol (LDAP) registry, the DN from the client certificate must be in the LDAP registry.

Basic registry and LDAP are described, but what happen when I use RACF as my liberty security registry?
From the test, it’s not working, the userid can not be obtained.


The search request contains multiple paged search controls.

Product: Exchange
Event ID: 1370
Source: MSExchangeSRS
Version: 6.0
Component: Site Replication Service
Message: The search request contains multiple paged search controls.
Only one-paged controls are allowed in a search request.
User Action
A problem with the Lightweight Directory Access Protocol (LDAP) client has occurred. It may need to be reinstalled.


Unable to initialize LDAP Simple Bind Authentication. Simple binds against this LDAP interface will result in binding as unauthenticated user.

Product: Windows Operating System
Event ID: 1219
Source: Active Directory
Version: 5.0
Message: Unable to initialize LDAP Simple Bind Authentication. Simple binds against this LDAP interface will result in binding as unauthenticated user.

Active Directory could not initialize simple bind authentication. Therefore, simple bind authentication against this LDAP interface will result in binding as an unauthenticated user.

User Action

No user action is required.