Attempting to restrict access to Citrix ADC / NetScaler Gateway for a nested domain users group does not work

Problem

I was recently asked by a colleague of mine who was setting up Search Filter on a Citrix ADC / NetScaler Gateway so that only users of a Active Directory group could log into the published portal. The Citrix article that demonstrates the configuration is the following:

How to Restrict Access to NetScaler Gateway for only Members of one Active Directory Group
https://support.citrix.com/article/CTX111079

The article is very straight forward and he wanted to use the configuration that allowed for nested groups as describes here:

Nested Groups – By default, NetScaler will only search for usernames that are direct members of the Active Directory group. If you want to search nested groups, then add the Microsoft OID :1.2.840.113556.1.4.1941: to the LDAP Search Filter. The OID is inserted between memberOf and = as shown below:
memberOf:1.2.840.113556.1.4.1941:=CN=Citrix Remote,OU=Citrix,DC=corp,DC=local

So he proceeded to add 1.2.840.113556.1.4.1941 after the memberOf then added the domain users group into the Active Directory group he was going to use to restrict access.

44

He tested the configuration but noticed that it didn’t work. Reviewing the aaaa.debug logs shows that correct group is being used to filter (I will paste the full debug log at the bottom of this post:

/home/build/rs_130_36_15_RTM/usr.src/netscaler/aaad/ldap_common.c[1332]: ns_ldap_search 0-161: Searching for <<(| (objectClass=domainDNS) (& (sAMAccountName=tluk@contoso.com) (memberOf:1.2.840.113556.1.4.1941:=cn=ACL – Citrix Access,OU=Access Groups,OU=Groups,OU=contoso,DC=corp,DC=contoso,DC=com)))>> from base <<dc=corp,dc=contoso,dc=com>>

However, the test login with tluk@contoso.com which is in the domain users group that is placed in the Citrix Access group eventually fails with:

/home/build/rs_130_36_15_RTM/usr.src/netscaler/aaad/ldap_drv.c[509]: receive_ldap_user_search_event 0-161: User tluk@contoso.com not found on the LDAP server

Sat Oct 3 12:36:22 2020

Attempting to configure the Nested Group Extraction configuration as demonstrated in the following KB does not work:

How to Configure LDAP Nested Group Extraction on NetScaler Gateway
https://support.citrix.com/article/CTX216282

43

Solution

The short answer to this problem is that attempting use Domain Users to nest into a group used by the Netscaler to filter access will not work because this group is almost certainly configured as the Primary Group of the users and such a group is not used for group extraction. The following is the explanation described by Citrix:

Active Directory Group Extraction Does Not Work on NetScaler
https://support.citrix.com/article/CTX135603

Problem Cause

The Active Directory group which was set as primary group is not used for group extraction. All the other groups associated with the user account are extracted. This is not a bug or issue on a NetScaler appliance. This is as per Active Directory design. Active Directory does not return its primary group as a group therefore the primary group cannot be extracted by a NetScaler appliance. This is true even if you make the Department group as a primary group instead of Domain users. In the search filter on the NetScaler LDAP search filter column you might have to modify the search rule as follows:
memberof=CN=domain users,dc=lab, dc=sumagee, dc=com

Because the primary group is dept only, Domain Users group is extracted by the NetScaler appliance.

It would be nice if this was included in the original KB demonstrating the configuration as this may not be obvious to administrators configuring the restrictions so I hope this post will help anyone who may encounter this scenario.