Citrix NetScaler Gateway: How to log on to different domains


A real-world problem: My customer had a gateway that could log on to two different domains (Domain1 and Domain2). For each domain, there was a Citrix Virtual Apps and Desktops (CVAD) environment. If you log on to Domain1, then you should get connected to CVAD1, if you log on to Domain2, then to CVAD2. There was an additional problem: it was possible that the same user with the same password existed in both domains. Therefore, the logon dialog had to include domain selection.

This is a screenshot from my test environment:

Citrix NetScaler domain dropdown As you can see, the first question is which domain to log on to. Of course, there can be any number of domains in the list. The next step is the actual authentication. Single-factor or multi-factor authentication can be used; of course, this can also be different for each domain.

What the Citrix NetScaler AAA nFactor flow looks like:

Citrix NetScaler N-Factor flow for domain dropdown As you can see, there is a first factor that shows a domain dropdown list. The next factor is a so-called decision block. As the name suggests, this is where the decision is made as to which domain to register to. From here it branches to the two domains ( and The two third-factors are then normal single-factor authentications. Of course, you could also use a two-factor authentication instead, but for the sake of simplicity, I did not use it in this test environment.


Before we start designing the Citrix NetScaler nFactor flow we need to create and test all the required authentication policies.
There is a problem with the two LDAP policies: we need to know later to which policy the user has logged in. It would be nice if we could determine this via group memberships, but this is often not possible. In fact, at my customer’s site, both domains shared the same group names. How should we then bind the session policies?
To solve this problem there are the so-called default authentication groups in each authentication policy. In the authentication policy, it is simply a text that is there. In NetScaler you have to create a local group with the same name as the default authentication group (case sensitive!). See here.

Citrix NetScaler ADC LDAP profile with default authentication groupIn Parallel, we have to create a group in Citrix NetScaler ADC with the exact same name. Go to Security → AAA-Application Traffic → Groups and create a new group:

Give this group a name.

AttentionAtention: The name of this groups must not correspond to any existing groups in any of these domains!

Creating the Citrix NetScaler nFactor flow

Go to Security → AAA-Application Traffic → nFactor Visualizer nFactor Flows. Click add.


Citrix NetScaler: Creating an nFactor FlowClick the plus sign in this first factor to create the factor.

Give this factor a name and click Create

A factor always consists of

  • a Schema, defining the layout of this factor. (Decision blocks don’t contain a schema)
  • one or more policies defining the behavior of this factor.

Click Add Schema.

Citrix NetScaler nFactor Flow: Create schemaGive this schema a name and click the pen icon next to noschema.

I think things get confusing from here. Si try to follow my guidelines as close as any possible.

Here you can see all the schemes you have already created (in many cases the list will be empty). Click on LoginSchema.

Now all the schema templates that Citrix has included with their NetScaler are displayed.

  1. Select the OnlyDomainDropdown scheme.
  2. Edit this schema, so it reflects your needs (i.e.: add your domain names)
  3. click select. Caution. Your scheme will be discarded if you do not press select!

Unfortunately, editing the domain list very often does not work. Schemas are XML files. They can be found in /nsconfig/loginschema. In most cases we will have no choice but to edit the XML file with an editor.
My XML file looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse xmlns="">

The list of domains is in the <DisplayValues>section. Each DisplayValue  has a <Display> and a <Value> entry. Display is, what users can see, Value is what the Citrix NetScaler will see (and our respective policies).

In addition, there is a default value. It’s specified in the InitialSelection area. It defines a default domain. Unspecified means, no domain pre-selected. If I would like to pre-select the domain, I would remove the <DisplayValue><Display>select_a_domain</Display><Value>unspecified</Value></DisplayValue> part and add into the (red) InitialSelection tag.

You have now assigned a schema to your factor, now we need a policy. Click on Add Policy.

Citrix NetScaler nFactor Flow: Create noauth PolicyClick Add to create a new policy.

Citrix NetScaler nFactor Flow: Create noauth Policy
This policy is not to do anything. Therefore I named it “no_auth_policy”. It should, accordingly, be of type NO_AUTHN. The expression will be a simple true.

Citrix NetScaler nFactor Flow: Bind next factorWe are done with this first factor. Let’s have a look at it.

Above, in light blue, we see our scheme. Below that in white we see all the bound policies, in this case there is only one. Below the policy there is a blue plus sign to add more policies. The green plus sign next to that policy calls the next factor if that policy was processed successfully. The red plus calls a factor if this policy was not successful.
Of course, there does not need to be a next factor, either in case of success or failure. However, in our case, we need to create a next factor. This factor will be a so-called Decission Block. As the name suggests, these Decision Blocks make decisions, in our case it selects the next login dialog, depending on the domain we selected in the previous factor.

Click the green plus to create the next factor.

Citrix NetScaler nFactor: Create decision block
Give this next factor a name and select Decision Block
Citrix NetScaler nFactor: Create decision blockClick Create

Citrix NetScaler nFactor: Create decision blockThis new factor should now be connected to the first factor.

Click Add Policy.

We now need to create the policy that selects the logon dialog for the particular domain. So we need a separate policy for each of our domains.
These policies will again be of type NO_AUTHN. The expressions, however, will be a bit more complicated. We check if the name of the domain appears in the first 500 bytes of the HTTP requests. For example, the expression for a domain named norz would be HTTP.REQ.BODY(500).AFTER_STR("domain=").CONTAINS("norz")

Citrix NetScaler nFactor flow: select a domainCreate as many policies as needed.

Citrix NetScaler nFactor flow decision blockI created 2 of these policies, one for, and one for As you can see, both of them have a green plus sign to bind the next factor to it. These next factors are simple logon dialogues, either single-factor or two-factor. The complete setup will look like that:

Citrix NetScaler N-Factor flow for domain dropdownVitrix NetScaler Gateway Session Policies

The “trick” now is to bind the right session policies. If you log on to, different session policies should apply than if you log on to
This is surprisingly simple. For this purpose, we have created the “Default Authentication Group”.

So we create normal session policies like we always would, but the expression becomes not a simple HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver"), but HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && AAA.USER.GROUPS.CONTAINS("auth_grp_norz")

Select the right session policy in a Citrix NetScaler ADC nFactor flow deploymentThis && AAA.USER.GROUPS.CONTAINS("auth_grp_norz") looks into the groups the user belongs to. If HTTP.REQ.HEADER("User-Agent") contains Citrix-Receiver and the list of groups contains auth_grp_norz, then this policy applies. This is the policy for the Citrix Receiver.

The one for the browser would of course be HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT && AAA.USER.GROUPS.CONTAINS("auth_grp_norz")

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (

By Johannes Norz

Recent Posts

Recent Comments