HOW TO: Netscaler 10.5 – Change Password / Secure LDAP configuration

During my current project I had to build a Netscaler cluster for Access Gateway functionality. After initially configuring the Access Gateway vServer I noticed that user account that are marked for “Change Password on next Logon” could not authenticate not via Access Gateway Logon Page nor Via Dell Wyse ThinClient that are configured for StoreFront access (via Netscaler Access Gateway). Password Change direct via StoreFront 2.6 was working flawlessly. After some googling I managed to get this working I followed these steps to succesfully configure “Allow Password Change” via Netscaler.

  1. Create Root CA on Netscaler
  2. Enable Secure LDAP on domain controllers (without Microsoft CA services)
  3. Configure Authentication Server object on Netscaler
  4. Configure Access Gateway vServer on the Netscaler

1. Create Root CA, RSA Key

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create RSA Key

Enter required information:

  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Size = 4096
  • Public Exponent Value = 3
  • Key Format = PEM
  • PEM Encoding Algorithm = DES3
  • PEM Passphrase = somepassword (2x)
create ssl rsa /nsconfig/ssl/RootCA.key 4096 -keyform PEM -des3 -password somepassword

2. Create Certificate Signing Request

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create Certificate Signing Request (CSR)

Enter required information:

  • Request File Name = /nsconfig/ssl/RootCA.csr
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Format = PEM
  • PEM Passphrase (For Encrypted Key) = Earlier created password
  • Country = Enter desired value
  • State or Province = Enter desired value
  • Organization Name = Enter desired value
  • Common Name = Enter desired value (This name is visible on the certificate)
create ssl certreq /nsconfig/ssl/RootCA.csr -keyFile /nsconfig/ssl/RootCA.key -keyform PEM -CountryName US -StateName NY -OrganizationName PrivateInc -commonName RootCAPrivateInc

3. Create RootCA Certificate

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > Traffic Management > SSL and click Create Certificate

Enter required information:

  • Enter Certificate File name  = /nsconfig/ssl/RootCA.cer
  • Certificate Format = PEM
  • Certificate Type = Root-CA
  • CSR File = /nsconfig/ssl/RootCA.csr
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Key Format = PEM
  • PEM Passphrase = Earlier created .key password
  • Validity Period = 365 (max 3650)

Now import this new certificate to the Netscaler Certificates store.

  • Browse to NetScaler > Traffic Management > SSL > Certificates and click Install
  • Certificate-Key Pair Name = “Name it you like
  • Certificate File Name = /nsconfig/ssl/RootCA.cer
  • Key File Name = /nsconfig/ssl/RootCA.key
  • Certificate Format = PEM
  • Password = Earlier created .key password
  • Certificate Bundle = Enabled

 

4. Enable Secure LDAP on domain controllers  

After we created the RootCA account we need to enable secure LDAP om the domain controllers. For this to work we need to create a CSR on the Domain Controllers. To do this you need to login on (all) your domain controller(s) and create a CSR. Copy the contents of this file to notepad and name the file request.inf. Save the file to c:\windows\temp

;----------------- request.inf ----------------- 

[Version] 

Signature="$Windows NT$" 

[NewRequest]

Subject = "CN=servername.domain.com"
KeySpec = 1 
KeyLength = 4096 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 

[EnhancedKeyUsageExtension] 

OID=1.3.6.1.5.5.7.3.1 

;-----------------------------------------------

 

now open a command-prompt (elevated rights) and issue the command:

cd \windows\temp
certreq -new c:\request.inf servername.csr

Upload  the newly created CSR file(s) to the Netscaler /nsconfig/ssl/ folder (via Manage Certificate > Upload)

5. Sign Domain Controller certificate.

Now Sign this CSR with the RootCA certificate created earlier via Create Certificate

  • Enter Certificate File name  = /nsconfig/ssl/servername.cer
  • Certificate Format = PEM
  • Certificate Type = SERVER
  • CSR File = /nsconfig/ssl/servername.csr
  • Key Format = PEM
  • Validity Period = 365 (max 3650)
  • Key Filename = /nsconfig/ssl/RootCA.key
  • CA Certificate File Name = /nsconfig/ssl/RootCA.cer
  • CA Certificate File format = PEM
  • CA Key File Name = /nsconfig/ssl/RootCA.key
  • CA Key File Format = PEM
  • PEM Passphrase = RootCA PEM Password
  • CA Serial File Number = /nsconfig/ssl/servername.serial

 6. Export RootCA as PFX

On Netscaler SSL Administration page click Export PKCS#12

  • PKCS12 File Name = /nsconfig/ssl/RootCA.pfx
  • Certificate File Name = /nsconfig/ssl/RootCA.cer
  • Key Filename = /nsconfig/ssl/RootCA.key
  • Export Password =  thisisanewpassword
  • PEM Passphrase = RootCA PEM Password

7. Import RootCA Certificate on Domain Controllers

Download the PFX file to C:\windows\temp on your domain controller and import it to the Trusted Root part of the Machine Certificate Store. When importing select “mark this key as exportable” repeat this step on all your Domain Controllers.

8. Import Server Certificate

Download the servername.cer file from the Netscaler to the domaincontroller c:\windows\temp, open command-prompt with elevated rights and issue command(s)

cd \windows\temp
certreq -accept servername.cer

Test your secure ldap with ldp.exe, select connect and enter the servername on which you just imported the certificates. Use port 636, and check the SSL option.

 

9. Configure Authentication Server object on Netscaler

  • Login to Netscaler Administration Console.
  • Browse to NetScaler > System > Authentication > LDAP and in the right pane click Servers and then Add.

Enter required information make sure to use these settings to enable secure LDAP connections:

  • Security Type: SSL
  • Port: 636
  • DO NOT enable “Validate LDAP Server Certificate”
  • Allow Password Change: Enabled

Bind this new server object to a Authentication Policy.

10. Configure Access Gateway vServer on the Netscaler

Open your Access Gateway vServer:

  • Bind Root Certificate as to CA Certificates
  • Bind the secure LDAP Autentication Policy to the vServer.
  • Enable “Client Authentication” in “SSL Parameters

 

All is done, now test it and hopefully this works for you too.

 

Sources

Microsoft KB321051

 

3 Comments to “HOW TO: Netscaler 10.5 – Change Password / Secure LDAP configuration”

  1. YouKnowMe 26 November 2014 at 09:51 #

    Dit moet ik dus ook gaan veranderen, komen er ook net achter dat dit nu niet lukt. Dus alvast bedankt!! 😉

  2. dennis 26 June 2015 at 12:31 #

    Perfect artikel, heeft me goed geholpen!! dank hier voor !

  3. mark 8 October 2015 at 15:37 #

    de ldap policy moet gemaakt worden op fqdn, bij mij werkte het anders niet. misschien goed om nog even specifiek te vermelden. op zich zelf wel logisch natuurlijk 😀


Leave a Reply