Netscaler native OTP Active Directory account delegation

How to minimise the right given to the Active Directory service account used by the LDAP policies on Netscaler for OTP configuration ? When setting up Citrix native OTP in Netscaler the “regular” service account needs more than browsing the AD. It needs to write on every user AD account the attribute “userParameters” to store information about your enrolled device(s)

To enable this service account to read and write this attribute only here are the few steps to follow to make the proper delegation:

In the Active Directory Users and Computers console :

Right click on the OU where the users that will authenticate using Netscaler native OTP and chose Delegate Control

Then follow the wizard by clicking on Next

Click on Add and chose the service account configured in your LDAP policies and click on Next

Chose Create a custom task to delegate and click on Next

Check User objects box and click on Next

Check General and Property-specific boxes and scroll down until the userParameters permissions check both read and write.

Now click on Finish, this is done

Note you need to repeat this delegation process if your users are split across different OUs a the same level in the Active Directory.