Monday, July 27, 2015

Login exceeds maximum allowed users - NetScaler

Error: Login exceeds maximum allowed users
























When a user tries to logon to NetScaler Access Gateway they may receive a message such as “login exceeds maximum allowed users” if the NetScaler Access Gateway VIP is configured for smart access mode.

Smart access mode enables Access Gateway features such as EPA scans which check endpoints for the presence of Anti-Virus, files and many other items

Each NetScaler comes with 5 universal licenses for you to use initially.



Issue 

You have not purchased any Smart Access licenses and no more than 5 people can log into Access Gateway.

Resolution:

Change Access mode from Smart Access Mode to Basic Mode.

In NetScaler 10.5 ICA only is set to False, change it True.













 Edit VPN Virtual Server and check ICA only.















It will change ICA only from False to True















Wednesday, July 15, 2015

How to Configure Secure LDAP Authentication on a NetScaler Appliance



One of our clients wants me to change NetScaler LDAP configuration from PLAINTEXT to SSL

Background:

We don’t have internal Certificate Authority.

By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a 
 Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article.

Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for LDAP

 

 

 

 

 

 

 

 

 

 

Creating the certificate request

 

Any utility or application that creates a valid PKCS #10 request can be used to form the SSL certificate request. Use Certreq to form the request.

Certreq.exe requires a text instruction file to generate an appropriate X.509 certificate request for a domain controller. You can create this file by using your preferred ASCII text editor. Save the file as an .inf file to any folder on your hard drive.

To request a Server Authentication certificate that is suitable for LDAPS, follow these steps:

Create the .inf file. Following is an example .inf file that can be used to create the certificate request.

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------
Cut and paste the sample file into a new text file named Request.inf. Provide the fully qualified DNS name of the domain controller in the request.

My Domain controller Hostname is  : ad.ctxdc.test.local

I created a Request.inf and saved on C:\ of my Domain Controller



























Create the request file. To do this, type the following command at the command prompt, and then press ENTER:

certreq -new request.inf request.req

A new file called Request.req is created. This is the base64-encoded request file.

















Submit the request to a CA. You can submit the request to a Microsoft CA or to a third-party CA.














My friend has one Microsoft CA installed .

I send my file to him and ask him to create a certificate for me or we can ask third party to create a certificate for me.

Steps to request and download certificate.

Open Webpage on CA server to request certificate.

Click on Request a certificate.















Click Advanced certificate request.








 








Click on












Paste the saved request and select "webserver" as certificate Template


















Click Submit


















Select Base 64 encoded and click on Download Certificate.















Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file.















Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:

certreq -accept certnew.cer






Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps:
  1. Start Microsoft Management Console (MMC).
  2. Add the Certificates snap-in that manages certificates on the local computer.
  3. Expand Certificates (Local Computer), expand Personal, and then expand Certificates.
A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.


 










Download ldp.exe and verify LDAP accepting SSL connections






































Once it accepting connection over SSL, will change Netscaler configuration from PLAINTEXT to SSL and click OK.