Configuring Cascading Authentication
Authentication allows you to create a cascade of multiple authentication servers using policy prioritization. When you configure a cascade, the system traverses each authentication server, as defined by the cascaded policies, to validate a user’s credentials. Prioritized authentication policies are cascaded in ascending order and can have priority values in the range of 1 to 9999. You define these priorities when binding your policies at either the global or the virtual server level.
During authentication, when a user logs on, the virtual server is checked first and then global authentication policies are checked. If a user belongs to an authentication policy on both the virtual server and globally, the policy from the virtual server is applied first and then the global authentication policy. If you want users to receive the authentication policy that is bound globally, change the priority of the policy. When a global authentication policy has a priority number of one and an authentication policy bound to a virtual server has a priority number two, the global authentication policy takes precedence. For example, you could have three authentication policies bound to the virtual server and you can set the priority of each policy.
If a user fails to authenticate against a policy in the primary cascade, or if that user succeeds in authenticating against a policy in the primary cascade but fails to authenticate against a policy in the secondary cascade, the authentication process stops and the user is redirected to an error page.
Note: Citrix recommends that when you bind multiple policies to a virtual server or globally, you define unique priorities for all authentication policies.
To set the priority for global authentication policies
- In the configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies > Authentication.
- Select the policy that is bound globally and then in Action, click Global Bindings.
- In the Bind/Unbind Authentication Global Polices dialog box, under Priority, type the number and then click OK.
To change the priority for an authentication policy bound to a virtual server
You can also modify an authentication policy that is bound to a virtual server.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
- In the details pane, select a virtual server and then click Open.
- Click the Authentication tab and then click either Primary or Secondary.
- Next to the authentication policy, under Priority, type the number and then click OK.