A growing number of customers use a single NetScaler Gateway virtual server to access XenApp/XenDesktop/XenMobile delivery controllers residing in multiple domains in the corporate network. One of the reasons might be that StoreFront, different to Web Interface, requires domain membership – so when you use Single Sign-On with NetScaler Gateway you need to know to which StoreFront cluster to direct users after a successful authentication at NetScaler.

While the NetScaler 10.1 allows group extraction to map authentication to session policies (see https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/Citrix%20NetScaler%2010.1%20Release%20notes.pdf), currently there are two ways to use multiple authentication policies with a single NetScaler Gateway vServer.

1) Cascade multiple policies (all with the expression “ns_true”)
When a user logs on, their user name and password are checked against each policy until one matches. If all fail, access is denied. While this works nicely, it isn’t an ideal solution because when accessing a larger number of Active Directory domains, the authentication process might be suffering in performance. Also, failed authentication requests on the non-matching domain controllers might increase.

2) Use a domain dropdown field as described in http://support.citrix.com/article/CTX118657
Most customers don’t like this solution because users might be confused and you might have to expose your internal domain name to the public as well.

JavaScript and Citrix Consulting to the rescue!

If you can educate your users to authenticate to NetScaler Gateway using their User Principal Name (UPN, user@domain.com) or samAccountName with domain (domain\user), you can use JavaScript to extract the domain part, store it in a cookie and apply an authentication policy based on the cookie value.

So, here we go:

Look for the following code in the /netscaler/ns_gui/vpn/index.html:

Insert the following code right below (this also works when you enter “domain\username”)

Then add the function to the “onsubmit” attribute of the login form:

And lastly, use an expression checking for this cookie value in your auth policies (REQ.HTTP.HEADER Cookie CONTAINS “domain.com”).

This customization is NOT officially supported by Citrix. Before contacting Citrix Support on an issue with NetScaler Gateway you should revert the changes made by re-instating the backup copies of the files we altered above.

In other words, our usual disclaimer applies:

This code is provided to you “as is” with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.