Skip to content

authenticationvserver

Configuration for authentication virtual server resource.

Properties

(click to see Operations )

Name Data Type Permissions Description
name <String> Read-write Name for the new authentication virtual server.

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Can be changed after the authentication virtual server is added by using the rename authentication vserver command.



The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication policy" or 'my authentication policy').

Minimum length = 1
servicetype <String> Read-write Protocol type of the authentication virtual server. Always SSL.

Default value: SSL

Possible values = SSL
ipv46 <String> Read-write IP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

Minimum length = 1
range <Double> Read-write If you are creating a series of virtual servers with a range of IP addresses assigned to them, the length of the range.

The new range of authentication virtual servers will have IP addresses consecutively numbered, starting with the primary address specified with the IP Address parameter.

Default value: 1

Minimum value = 1
port <Integer> Read-write TCP port on which the virtual server accepts connections.

Range 1 - 65535

* in CLI is represented as 65535 in NITRO API
state <String> Read-write Initial state of the new virtual server.

Default value: ENABLED

Possible values = ENABLED, DISABLED
authentication <String> Read-write Require users to be authenticated before sending traffic through this virtual server.

Default value: ON

Possible values = ON, OFF
authenticationdomain <String> Read-write The domain of the authentication cookie set by Authentication vserver.

Minimum length = 3

Maximum length = 252
comment <String> Read-write Any comments associated with this virtual server.
td <Double> Read-write Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

Minimum value = 0

Maximum value = 4094
appflowlog <String> Read-write Log AppFlow flow information.

Default value: ENABLED

Possible values = ENABLED, DISABLED
maxloginattempts <Double> Read-write Maximum Number of login Attempts.

Minimum value = 1

Maximum value = 255
failedlogintimeout <Double> Read-write Number of minutes an account will be locked if user exceeds maximum permissible attempts.

Minimum value = 1
certkeynames <String> Read-write Name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate.

Minimum length = 1

Maximum length = 127
samesite <String> Read-write SameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite.

Possible values = None, LAX, STRICT
newname <String> Read-write New name of the authentication virtual server.

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters.



The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, 'my authentication policy' or "my authentication policy").

Minimum length = 1
ip <String> Read-only The Virtual IP address of the authentication vserver.
value <String> Read-only Indicates whether or not the certificate is bound or if SSL offload is disabled.

Possible values = Certkey not bound, SSL feature disabled
type <String> Read-only The type of Virtual Server, e.g. CONTENT based or ADDRESS based.

Possible values = CONTENT, ADDRESS
curstate <String> Read-only The current state of the Virtual server, e.g. UP, DOWN, BUSY, etc.

Possible values = UP, DOWN, UNKNOWN, BUSY, OUT OF SERVICE, GOING OUT OF SERVICE, DOWN WHEN GOING OUT OF SERVICE, NS_EMPTY_STR, Unknown, DISABLED
status <Integer> Read-only Whether or not this vserver responds to ARPs and whether or not round-robin selection is temporarily in effect.
cachetype <String> Read-only Virtual server's cache type. The options are: TRANSPARENT, REVERSE and FORWARD.

Possible values = TRANSPARENT, REVERSE, FORWARD
redirect <String> Read-only The cache redirect policy.

The valid redirect policies are:

l. CACHE - Directs all requests to the cache.

2. POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting.

3. ORIGIN - Directs all requests to the origin server.

Possible values = CACHE, POLICY, ORIGIN
precedence <String> Read-only This argument is used only when configuring content switching on the specified virtual server. This is applicable only

if both the URL and RULE-based policies have been configured on the same virtual server.

It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE.

l URL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies.

l RULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies.

For all URL-based policies, the precedence hierarchy is:

1. Domain and exact URL

2. Domain, prefix and suffix

3. Domain and suffix

4. Domain and prefix

5. Domain only

6. Exact URL

7. Prefix and suffix

8. Suffix only

9. Prefix only

10. Default.

Possible values = RULE, URL
redirecturl <String> Read-only The URL where traffic is redirected if the virtual server in system becomes unavailable. WARNING! Make sure that the domain you specify in the URL does not match the domain specified in the -d domainName argument of the ###add cs policy### command. If the same domain is specified in both arguments, the request will be continuously redirected to the same unavailable virtual server in the system. If so, the user may not get the requested content.
curaaausers <Double> Read-only The number of current users logged in to this vserver.
policy <String> Read-only The name of the policy, if any, bound to the authentication vserver.
servicename <String> Read-only The name of the service, if any, to which the vserver policy is bound.
weight <Double> Read-only Weight for this service, if any. This weight is used when the system performs load balancing, giving greater priority to a specific service. It is useful when the services bound to a virtual server are of different capacity.
cachevserver <String> Read-only The name of the default target cache virtual server, if any, to which requests are redirected.
backupvserver <String> Read-only The name of the backup vpn virtual server for this vpn virtual server.
clttimeout <Double> Read-only The idle time, if any, in seconds after which the client connection is terminated.
somethod <String> Read-only VPN client applications are allocated from a block of Intranet IP addresses.

That block may be exhausted after a certain number of connections. This switch specifies the

method used to determine whether or not a new connection will spillover, or exhaust, the allocated block of

Intranet IP addresses for that application. Possible values are CONNECTION or DYNAMICCONNECTION.

CONNECTION means that a static integer value is the hard limit for the spillover threshold. The spillover

threshold is described below. DYNAMICCONNECTION means that the spillover threshold is set according to

the maximum number of connections defined for the vpn vserver.

Possible values = CONNECTION, DYNAMICCONNECTION, BANDWIDTH, HEALTH, NONE
sothreshold <Double> Read-only VPN client applications are allocated from a block of Intranet IP addresses.

That block may be exhausted after a certain number of connections.

The value of this option is number of client connections after which the Mapped IP address is used

as the client source IP address instead of an address from the allocated block of Intranet IP addresses.
sopersistence <String> Read-only Whether or not cookie-based site persistance is enabled for this VPN vserver. Possible values are 'ConnectionProxy', HTTPRedirect, or NONE.

Possible values = ENABLED, DISABLED
sopersistencetimeout <Double> Read-only The timeout, if any, for cookie-based site persistance of this VPN vserver.
priority <Double> Read-only The priority, if any, of the vpn vserver policy.
downstateflush <String> Read-only Perform delayed clean up of connections on this vserver.

Possible values = ENABLED, DISABLED
bindpoint <String> Read-only Bindpoint to which the policy is bound.

Possible values = REQUEST, RESPONSE, ICA_REQUEST, OTHERTCP_REQUEST
disableprimaryondown <String> Read-only Tells whether traffic will continue reaching backup vservers even after primary comes UP from DOWN state.

Possible values = ENABLED, DISABLED
listenpolicy <String> Read-only Listenpolicy configured for authentication vserver.
listenpriority <Double> Read-only Priority of listen policy for authentication vserver.
tcpprofilename <String> Read-only The name of the TCP profile.
httpprofilename <String> Read-only Name of the HTTP profile.
vstype <Double> Read-only Virtual Server Type, e.g. Load Balancing, Content Switch, Cache Redirection.
ngname <String> Read-only Nodegroup devno to which this authentication vsever belongs to.
secondary <Boolean> Read-only Bind the authentication policy to the secondary chain.

Provides for multifactor authentication in which a user must authenticate via both a primary authentication method and, afterward, via a secondary authentication method.

Because user groups are aggregated across authentication systems, usernames must be the same on all authentication servers. Passwords can be different.
groupextraction <Boolean> Read-only Bind the Authentication policy to a tertiary chain which will be used only for group extraction. The user will not authenticate against this server, and this will only be called if primary and/or secondary authentication has succeeded.
__count <Double> Read-only count parameter

Operations

(click to see Properties )

  • ADD
  • DELETE
  • UPDATE
  • UNSET
  • ENABLE
  • DISABLE
  • GET (ALL)
  • GET
  • COUNT
  • RENAME

Some options that you can use for each operations:

  • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

    http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.

  • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER: <username>

    X-NITRO-PASS: <password>

    Note: In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Note:

Mandatory parameters are marked in red and placeholder content is marked in green

add

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>,
</b><b>      "servicetype":<String_value>,
</b>      "ipv46":<String_value>,
      "range":<Double_value>,
      "port":<Integer_value>,
      "state":<String_value>,
      "authentication":<String_value>,
      "authenticationdomain":<String_value>,
      "comment":<String_value>,
      "td":<Double_value>,
      "appflowlog":<String_value>,
      "maxloginattempts":<Double_value>,
      "failedlogintimeout":<Double_value>,
      "certkeynames":<String_value>,
      "samesite":<String_value>
}}

Response:

HTTP Status Code on Success: 201 Created

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

delete

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver/ name_value<String>

HTTP Method: DELETE

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

update

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver

HTTP Method: PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>,
</b>      "ipv46":<String_value>,
      "authentication":<String_value>,
      "authenticationdomain":<String_value>,
      "comment":<String_value>,
      "appflowlog":<String_value>,
      "maxloginattempts":<Double_value>,
      "failedlogintimeout":<Double_value>,
      "certkeynames":<String_value>,
      "samesite":<String_value>
}}

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

unset

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? action=unset

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>,
</b>      "authenticationdomain":true,
      "maxloginattempts":true,
      "authentication":true,
      "comment":true,
      "appflowlog":true,
      "failedlogintimeout":true,
      "certkeynames":true,
      "samesite":true
}}

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

enable

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? action=enable

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>
</b>}}

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

disable

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? action=disable

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>
</b>}}

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

rename

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? action=rename

HTTP Method: POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Content-Type:application/json

Request Payload:

{"authenticationvserver":{
<b>      "name":<String_value>,
</b><b>      "newname":<String_value>
</b>}}

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

get (all)

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver

Query-parameters:

attrs

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of authenticationvserver resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

view

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? view=summary

Use this query-parameter to get the summary output of authenticationvserver resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

pagination

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? pagesize=#no;pageno=#no

Use this query-parameter to get the authenticationvserver resources in chunks.

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{ "authenticationvserver": [ {
      "name":<String_value>,
      "ip":<String_value>,
      "td":<Double_value>,
      "ipv46":<String_value>,
      "value":<String_value>,
      "port":<Integer_value>,
      "range":<Double_value>,
      "servicetype":<String_value>,
      "type":<String_value>,
      "curstate":<String_value>,
      "status":<Integer_value>,
      "cachetype":<String_value>,
      "redirect":<String_value>,
      "precedence":<String_value>,
      "redirecturl":<String_value>,
      "authentication":<String_value>,
      "curaaausers":<Double_value>,
      "authenticationdomain":<String_value>,
      "policyname":<String_value>,
      "policy":<String_value>,
      "servicename":<String_value>,
      "weight":<Double_value>,
      "cachevserver":<String_value>,
      "backupvserver":<String_value>,
      "clttimeout":<Double_value>,
      "somethod":<String_value>,
      "sothreshold":<Double_value>,
      "sopersistence":<String_value>,
      "sopersistencetimeout":<Double_value>,
      "priority":<Double_value>,
      "downstateflush":<String_value>,
      "bindpoint":<String_value>,
      "disableprimaryondown":<String_value>,
      "listenpolicy":<String_value>,
      "listenpriority":<Double_value>,
      "tcpprofilename":<String_value>,
      "httpprofilename":<String_value>,
      "comment":<String_value>,
      "appflowlog":<String_value>,
      "vstype":<Double_value>,
      "ngname":<String_value>,
      "maxloginattempts":<Double_value>,
      "failedlogintimeout":<Double_value>,
      "secondary":<Boolean_value>,
      "groupextraction":<Boolean_value>,
      "certkeynames":<String_value>,
      "samesite":<String_value>
}]}

get

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver/ name_value<String>

Query-parameters:

attrs

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver/ name_value<String> ? attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view

http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver/ name_value<String> ? view=summary

Use this query-parameter to get the summary output of authenticationvserver resources configured on NetScaler.

Note: By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{  "authenticationvserver": [ {
      "name":<String_value>,
      "ip":<String_value>,
      "td":<Double_value>,
      "ipv46":<String_value>,
      "value":<String_value>,
      "port":<Integer_value>,
      "range":<Double_value>,
      "servicetype":<String_value>,
      "type":<String_value>,
      "curstate":<String_value>,
      "status":<Integer_value>,
      "cachetype":<String_value>,
      "redirect":<String_value>,
      "precedence":<String_value>,
      "redirecturl":<String_value>,
      "authentication":<String_value>,
      "curaaausers":<Double_value>,
      "authenticationdomain":<String_value>,
      "policyname":<String_value>,
      "policy":<String_value>,
      "servicename":<String_value>,
      "weight":<Double_value>,
      "cachevserver":<String_value>,
      "backupvserver":<String_value>,
      "clttimeout":<Double_value>,
      "somethod":<String_value>,
      "sothreshold":<Double_value>,
      "sopersistence":<String_value>,
      "sopersistencetimeout":<Double_value>,
      "priority":<Double_value>,
      "downstateflush":<String_value>,
      "bindpoint":<String_value>,
      "disableprimaryondown":<String_value>,
      "listenpolicy":<String_value>,
      "listenpriority":<Double_value>,
      "tcpprofilename":<String_value>,
      "httpprofilename":<String_value>,
      "comment":<String_value>,
      "appflowlog":<String_value>,
      "vstype":<Double_value>,
      "ngname":<String_value>,
      "maxloginattempts":<Double_value>,
      "failedlogintimeout":<Double_value>,
      "secondary":<Boolean_value>,
      "groupextraction":<Boolean_value>,
      "certkeynames":<String_value>,
      "samesite":<String_value>
}]}

count

URL: http:// <netscaler-ip-address> /nitro/v1/config/authenticationvserver? count=yes

HTTP Method: GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

Accept:application/json

Response:

HTTP Status Code on Success: 200 OK

HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

Response Header:

Content-Type:application/json

Response Payload:

{ "authenticationvserver": [ { "__count": "#no"} ] }