User Certificate Authorization with Citrix NetScaler 6


Recently I implemented a Citrix NetScaler environment at a Dutch insurance company. This company uses Citrix NetScaler as a reverse proxy for various web-based applications. One of these applications is using public signed client (user) certificates. Based on the client certificate information a user will get a specific role assigned within the web app.

This web app traditionally requires a client certificate to process the user request to the web app content. This means with Citrix NetScaler we where not able to perform SSL offloading techniques because the web app requires a real client certificate presented by the client (user). Unfortunately we had to create a SSL bridged virtual server to offer the client certificate via Citrix NetScaler.

We advised the web app developer to dive into the process to change the authorization from a client certificate to HTTP header (where we can put the client certificate into via Citrix NetScaler).

Two weeks ago I got a call that the web app authorization process has been changed successfully. Time to get rid of that nasty SSL bridged traffic where Citrix NetScaler can’t dive into.


Here’s how:

SSL Server Certificate Offloading

First we created a SSL based virtual to replace the SSL_BRIDGE virtual server:


batch Command:
add lb vserver VIP-WebApp-A SSL 443 -comment "VIP used for web app A; Including SSL offloading"

Next we bind a HTTP based service to the SSL based virtual server. This can be a SSL based service too, but hey we want to show the power of SSL Offloading:


batch Command:
bind lb vserver VIP-WebApp-A svc-webapp-a

As you have noticed the virtual server is still marked as “down” while we haven’t bind a server certificate i.e. the FQDN cannot be validated against the SSL based virtual server. Let’s bind a server certificate:


batch Command:
bind ssl vserver VIP-WebApp-A -certkeyName WebApp-A-Server

We now do have a regular SSL based virtual server online where we applied SSL Offloading to the web app server because of the HTTP service:



SSL Client Certificate Offloading:

Because the web app now do expect the client certificate information in the HTTP header we have to enable client (user) certificate authentication and create SSL Policy to let Citrix NetScaler put this information into the HTTP header.

First we need to enable client certificate authentication on the SSL based virtual server:


batch Command:
set ssl vserver VIP-WebApp-A -clientAuth ENABLED -clientCert Mandatory

When browsing to the SSL based virtual server a user is now prompted which certificate to use for authentication:

result_ssl_vip_with_clientcertauthNote that all client certificates available in the user certificate store are shown.


Next step is to bind the root certificate to the SSL based virtual server. This step is needed to validate the client (user) certificate against the root CA.


batch Command:
bind ssl vserver VIP-WebApp-A -certkeyName public-a-caroot –CA

When browsing to the SSL based virtual server a user is now prompted which certificate to use for authentication, however only the client (user) certificate is shown that is signed by the root CA that is bind to our SSL based virtual server:

result_ssl_vip_with_clientcertauth_with_rootCAAfter this step client (user) certificate authentication is enabled as well. Please note that this authentication now only take place at the SSL based virtual server. After successful authentication any connection is forwarded to the web app server, without any client certificate.


Forward client certificate information via HTTP header

To be able to authorize a user based on the client (user) certificate information we do want to forward this information from the SSL based virtual server to the web app server. This is where we can use SSL Policies.


First we are going to create a SSL Action to specify what information we want to forward to the web app server in the HTTP header:


batch Command:
add ssl action SSL-Action-Forward-ClientCertInfo -clientCertSubject ENABLED -certSubjectHeader Client-Cert-Subject -clientCertIssuer ENABLED -certIssuerHeader Client-Cert-Issuer

Then we need to create a SSL Policy to specify under what circumstances this SSL Action needs to be fired:

create_ssl_policyNote that I used a expression where we filter on a specific certificate issuer (Root or Intermediate CA). This is very important and allows us to filter on when to forward the offloaded client (user) certificate to the web app server and when to forward not!

batch Command:
add ssl policy SSL-Policy-Forward-ClientCertInfo -rule "CLIENT.SSL.CLIENT_CERT.ISSUER.CONTAINS(\"Public A CA Root\")" -action SSL-Action-Forward-ClientCertInfo

Next we need to bind this SSL Policy to the SSL based virtual server:


batch Command:
bind ssl vserver VIP-WebApp-A -policyName SSL-Policy-Forward-ClientCertInfo -priority 1

Lets have a look at the web app server if the HTTP headers are present. For this I make use of WireShark:




With this configuration the web app developer is able to authorize a user based on the client certificate subject, or parts of the subject like the Common Name(CN) or emailAddress.

If the user is authenticated with a client certificate that was signed by another Certificate Authority then specified in the SSL Policy expression we don’t forward the client certificate via HTTP header. This means the authorization will fail and the developer can redirect the request to a landing or guest page.



Last but not least keep in mind to secure any SSL based virtual server, for more information on that topic check this blogpost:

6 thoughts on “User Certificate Authorization with Citrix NetScaler

  1. Reply EVess May 30,2015 6:41 am

    Thank you so much for this example Anton, as it is something that I was looking for. Just a question though with the SSL Action. What is the purpose of presenting the ClientAuth option here? You already enabled ClientAuth on the front in the first part of your example.. what’s the purpose of showing that option in the SSL Actions?


    • Reply Anton van Pelt Jun 1,2015 7:38 pm


      If i understand your question…..

      First we enable client certificate authentication at the virtual server to require the user to present a certificate. With the SSL Policy / SSL Action we specify what HTTP headers from the certificate will be send to the webserver.


  2. Reply Edgar Dockus Mar 31,2016 2:51 pm

    Is it possible to accept the certificate without prompting the user to click on OK? Just thinking that if there is only one certificate signed by the particular CA, then it makes sense to use it for authentication by default. Is that even possible?

    • Reply Anton van Pelt Apr 4,2016 9:20 pm


      Yes you can, this is a browser setting you can configure manualy or via a GPO. Like with IE you configure the setting “Don’t prompt for client certificate selection when only one certificate exists” within the internet or intranet zone security settings.


  3. Reply Doug Curtis May 3,2016 8:25 pm

    Is it possible to allow or disallow client certificate authentication from certain ip addresses? I’ve tried creating an SSL policy but all it gives an “ERR_SSL_PROTOCOL_ERROR” in chrome when it matches an ip I’ve specified in a policy.


  4. Reply bnovak88 Aug 23,2017 2:24 pm


    How to set up redirection to error page when cancel button or no client cert was choosen on Select Certificate prompt?


Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.