How to minimise the right given to the Active Directory service account used by the LDAP policies on Netscaler for OTP configuration ? When setting up Citrix native OTP in Netscaler the “regular” service account needs more than browsing the AD. It needs to write on every user AD account the attribute “userParameters” to store information about your enrolled device(s)
To enable this service account to read and write this attribute only here are the few steps to follow to make the proper delegation:
In the Active Directory Users and Computers console :
Right click on the OU where the users that will authenticate using Netscaler native OTP and chose Delegate Control
Then follow the wizard by clicking on Next
Click on Add and chose the service account configured in your LDAP policies and click on Next
Chose Create a custom task to delegate and click on Next
Check User objects box and click on Next
Check General and Property-specific boxes and scroll down until the userParameters permissions check both read and write.
Now click on Finish, this is done
Note you need to repeat this delegation process if your users are split across different OUs a the same level in the Active Directory.