Which NetScaler utility should you use to troubleshoot by diagnosing authentication issues when bypassing NetScaler works?

When diagnosing authentication problems on NetScaler, you want direct visibility into how the authentication flow is processed. The aaad.debug tool attaches to the Authentication, Authorization, and Accounting daemon and prints a detailed trace of each authentication attempt. It shows which authentication method and policy are chosen, which identity store is contacted (LDAP, RADIUS, SAML, etc.), the credentials or tokens being evaluated, and the exact error returned by the backend or policy. This level of detail lets you pinpoint where the failure occurs—whether NetScaler can’t reach the LDAP server, a bind fails, a group or attribute mismatch, or a policy condition blocks access—especially when bypassing NetScaler makes the resource work, indicating the issue lies in NetScaler’s authentication path rather than the resource itself. Other tools provide useful information, but they aren’t as focused on the authentication sequence: the dashboard offers a broad view, nscon is a management/connection tool, and nslog is general logging; aaad.debug gives targeted, actionable insight into the authentication process.