AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20

Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the outcome of authentication requests was positive. I always saw a message “Error: Not an privileged user”

Citrix changed AAA default settings


Authorization settings in NetScaler and Citrix ADC Versions up to 13 built 36.27

In versions up to 13 built 36.27, default authorization was set to allow (see screen shot)

Authorization settings from Citrix ADC 13 built 41.20

In general, I am fine with this. But it may break existing configurations. Don’t change it back to the old settings. Instead, create authorization policies.

Why is it OK to change settings?

To be honest, default authorization should not be set to allow. Good deployments (mine had been a bad one) will always authorize users and won’t go with default allow. Changing default to deny just follows Citrix best practices for NetScaler / Citrix ADC.

I don’t agree to changing defaults silently!


The solution to fix Citrix NetScaler ADC AAA

As mentioned above, the old defaults had been wrong. It was right, to change the defaults to deny. But we have to authorize users to connect. To do so, we have authorization policies.


add authorization policy auth_allow_all true ALLOW

This policy could get bound, either to a user, a group, or (not recommanded, but quick and dirty) a vServer.


I hope that helps by a little bit! I would like to see your feedback

Leave a Reply

Your email address will not be published. Required fields are marked *