After User Password Expires User Cannot change password

[Keith Woznica1709151649]

I currently have an issue with users who cannot login to the netscaler gateway due to a password expiration. If they attempt to login they receive the message which states "Incorrect Credentials" and are not prompted with the fact that their password expired nor can they change it.

If I attempt to log into the traditional web interface the user is prompted to change their password due to expiration.

How can I configure the netscaler gateway to allow the user to change their password once it has expired?

I am running netscaler vpx in front of StoreFront 2.0 on windows server 2008 R2.

Edited by: Keith Woznica on Nov 11, 2013 9:48 AM

[Shaun Ritchie]

If you check your LDAP server settings on your NetScaler Gateway appliances, scroll right down to the bottom of the settings page you will see an option "Allow Password Change".

You need to be using LDAPs for this to work though.

----------

Shaun Ritchie
[www.shaunritchie.co.uk|www.shaunritchie.co.uk]
[Follow me on Twitter|www.twitter.com/shaunritchie_uk]

[Keith Woznica1709151649]

Shaun,

I check the option for "Allow password change" and am now prompted to enter the new password. However after entering the new password the login screen will not accept it. I then went back to the web interface and found that they old password was still the password in effect because the web interface still forced me to change the password with the original password.
It seems that even though I changed the password from the Netscaler gateway, the change was not passed along.
How can I enable the netscaler gateway to update the password change to LDAP?

[Paul Blitz]

Setting the "allow password change", and using LDAPS / TLS will make NS send the changed password back to the LDAP server, which will then need the AD servers to propogate that change

Of course, the Single SignOn happens pretty quickly fater that, and if the XenApp server that authenticates the WI authenticates to a DIFFERENT AD server, the password change might not yet have propogated over......

[Keith Woznica1709151649]

Paul,

I changed the security type to TLS and then I don't even get prompted for a password change.

The AD server is in the same LAN as the WI and Netscaler so I don't think propagation is an issue. When I change the security type back to PLAINTEXT I am prompted for a password. The test account i am attempting to log in as is not locked.

My LDAP settings are as follows.
Type = AD
Port = 389
Validate LDAP Server Certificate = NOT Checked
Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Attribute Name = CN
Security Type = PLAINTEXT
Authentication = CHECKED
User Required = CHECKED
Allow Password Change = CHECKED

Is there anything you see in those settings which may be incorrect?

[Shaun Ritchie]

LDAPS doesn't use port 389, it uses 636.

And if you are using LDAPS you will need to have a certificate on your domain controller and the root cert on your NetScaler.

These might help you.

http://support.citrix.com/article/CTX133893

http://www.whitehatvirtual.com/blog/bid/310695/How-to-Implement-LDAPS-or-SSL-for-Netscaler-Authentications-to-AD

----------

Shaun Ritchie
[www.shaunritchie.co.uk|www.shaunritchie.co.uk]
[Follow me on Twitter|www.twitter.com/shaunritchie_uk]

[Keith Woznica1709151649]

Shaun, Just to get this to work is LDAPS required?

I'm in a proof of concept right now with the product so I just need to make it function before I am concerned about security. Thanks for your input.

[CarlStalhood]

Encrypted LDAP is a Microsoft requirement for updating passwords in Active Directory. http://msdn.microsoft.com/en-us/library/windows/desktop/aa746487(v=vs.85).aspx. It's not specific to NetScaler.

[Paul Blitz]

and encrypted LDAP = either LDAPS on port 636, or LDAP with Start-TLS on port 389. Obviously the AD server and the Netscaler need to use the same thing!

[Keith Woznica1709151649]

Ok, i'll give this a try and see how it goes. Basically I will have to create a CA on a NON Domain Controller Server. Then I need to export the certificate and bring it into Netscaler.

A couple of questions then regarding this.

1.) I don't see a place in netscaler vpx for configuring a service as described in CTX133893. Can someone point out where that applet is located?

2.) How come I never had to create a CA for the web interface to allow for passwords to change?

Thanks for the reply.

[Keith Woznica1709151649]

would following this procedure be appropriate for the domain controller authentication certificate template?

http://technet.microsoft.com/en-us/library/cc731183.aspx

[Keith Woznica1709151649]

I built a new CA server in my domain but I'm getting stuck with it when I click on

New --> certificate template to issue --> the enable certificates template appears however I do not see Domain Controller Authentication as an option.

I do see Domain Controller Authentication when I have Certificate Templates selected in the left pane.

Why do I not see it when I click Certificate template to issue?

[Jarian Gibson]

Is the CA server using AD CA services?  If so it will pull a cert and you can use TLS on 389 with change password.

[Keith Woznica1709151649]

Is the CA server using AD CA services?  If so it will pull a cert and you can use TLS on 389 with change password.

I just installed the CA server Friday night and set it up to use AD CA services during Role selection. When I went to enable the Domain Controller Authentication I did not see the template listed. I am going through this procedure based on the below blog.

http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html?showComment=1384573788218#c6613197144137500570

 

 

Is there a way to add the template into the list of available templates to issue on the CA?

[Scott Barnett1709154172]

Setting the "allow password change", and using LDAPS / TLS will make NS send the changed password back to the LDAP server, which will then need the AD servers to propogate that change

 

Of course, the Single SignOn happens pretty quickly fater that, and if the XenApp server that authenticates the WI authenticates to a DIFFERENT AD server, the password change might not yet have propogated over......

 

Hi Paul,

 

We are seeing a similar issue to the one you describe as "slow propogation".  Mostly it works fine. Rarely if ever an issue, but seemingly at times there is an increase in regularity.

 

We are load balancing 3 domain controllers using LDAPS/636. Upon a users password needing to be change via AG on the Netscaler 9.3.56.5.nc, the user changes the password.  The change is successful, but they are not forwarded to the AG homepage as is usually the case, but snet back to the logon screen with the "red X" showing "invalid credentials". However, the old password no longer works and the new password gets them into the AG homepage upon subsequent logon.

 

I have run aaad.debug along with packet capture and compared to AD logs. It seems there is a failed logon in the AD log after the password change, but the subsequent logon attempt shows a normal log response.  I have had this ticket open for over a year here, but it happens so few and far between I have not been able to capture enough info nor figure out a viable remedy.  Likewise, rather vague LDAP does not return a detailed error message to the NS in the aaad.debug.

 

Is there a timer value that can be increased on the NS after the password change so as to wait a little longer before trying to authenticate using the new password the user just entered?

[Lars Kvorning]

Hi Scott,

 

We are seeing the similar problem:

 

The change is successful, but they are not forwarded to the AG homepage as is usually the case, but snet back to the logon screen with the "red X" showing "invalid credentials". However, the old password no longer works and the new password gets them into the AG homepage upon subsequent logon.

Have you any news to this case?

 

Thank you in advance.

[Brooks Carlson]

Password change throught the Netscaler Gateway has always been a bit confusing.  The requirements for password change are very clear:

- you must be using Secure LDAP 636 (note the global catalog port will not work)

- the "Allow Password Change" button must be selected in the LDAP profile

 

Assuming those requirements are met the next things to consider are that there are only two times users can change their password:

-when the password naturally expires

-when accounts are set to allow password change on first logon in windows AD

 

This is really the part that can cause issues.  The Netscaler is not a full LDAP server/agent and if you have certain password requirements such as:

-must meet complexity requirements

-minimum password length

-password has been used in the last x # of months

The Netscaler isn't capable of telling the person trying to change their passwords that the reason it isn't working is because (for example) the password doesn't meet complexity requirements.  If you were running a aaad.debug while watching the connection audit you would see that message, but it isn't passed to the person trying to log on.

 

The other issue is what I believe Paul Blitz was speaking of- sometimes the password change doesn't get synced as quickly as other applications and you may wind up seeing what Paul was talking about.

[Raphael Muench]

Hello Brooks,

 

your statements about missing capabilities in the netscaler - to inform a user about what exactly went wrong when setting a new password - are still present and unsolved ?

 

That means there's no workaround within netscaler to inform a user about the correct password requirements ?

 

So what to do ? Tell him the exact requirements within a manual or run-up to a training ?

 

Thanks in advance,

 

Raphael

[Raphael Muench1709154698]

hi!

 

is it possible to edit the Change_Password Site and put there a html text about the Password requirements ?

 

Thanks,

 

Raphael

[Josh Nocita]

Over 1000 users to communicate the complexity requirements to and train every 90 days when they forget. This cannot be right! Has anyone found a solution to this issue?

[Paul Blitz]

Unfortunately, the LDAP on Netscaler *is* very limited.... and the ability to change password is rather restricted (and to be honest, it's about time Citrix improved things a bit!).... with no advice / enforcement of password complexity etc.

 

Which means you can get a situation where a user password expires, they enter an unsuitable new password, and they are then locked out!

 

Of course,  you could always modify the relevant login page to include some notes on what is required when choosing a new password.

 

 

@Scott: your description of the sequence sounds logical to me: user attempts a login, are required to change the password, and then must use that new password to login.

[CarlStalhood]

You can try Enhanced Authentication Feedback - http://blogs.citrix.com/2014/06/11/enhanced-authentication-feedback/

[Joe Marriott]

the following should provide feedback for password complexity requirements.  Tested with 10.5 firmware, and using 'green bubble' theme.

 

set aaa parameter -enableStaticPageCaching NO

add rewrite action custom_aaa_change_password_failed_rwact1 replace_all "HTTP.RES.BODY(120000)" q{"<String id=\"errorMessageLabelMax\">4016</String>"} -pattern "<String id=\"errorMessageLabelMax\">4015</String>"
add rewrite action custom_aaa_change_password_failed_rwact2 insert_after_all "HTTP.RES.BODY(120000)" q{"<String id=\"errorMessageLabel4016\">Password change failed.  Please login again using your old password, then when prompted for a new password, ensure it meets the required complexity requirements.</String>"} -pattern "<String id=\"errorMessageLabel4015\">Your account is temporarily locked.  </String>"
add rewrite action custom_aaa_change_password_notification_rwact replace_all "HTTP.RES.BODY(120000)" "\"Password reset required.  Please enter a new password that is at least 8 characters in length, contains at least 1 number, contains at least 1 lowercase letter, contains at least 1 UPPER case letter, and is different than the previous 24 passwords\"" -pattern "Password Expired. Please enter a new password"

add rewrite policy custom_aaa_change_password_notification_rwpol "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_notification_rwact
add rewrite policy custom_aaa_change_password_failed_rwpol1 "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_failed_rwact1
add rewrite policy custom_aaa_change_password_failed_rwpol2 "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_failed_rwact2

add rewrite policylabel custom_aaa_change_password_rwpollbl http_res

bind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_notification_rwpol 100 NEXT
bind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_failed_rwpol1 110 NEXT
bind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_failed_rwpol2 120 NEXT

bind rewrite global NOPOLICY 140 NEXT -type RES_OVERRIDE -invoke policylabel custom_aaa_change_password_rwpollbl
 

Reboot the netscaler after running these commands as the en.xml file is usually cached statically in memory

 

Joe Marriott

 

[Sanjith Abraham1709153204]

Hi Joe,

 

what to edit in en.xml file directly instead of using this rewrite ?

[Sunny Ko]

Dear All,

 

Need help on a variation of this problem.

 

Some users cannot reset password after their passwords are expired. They received a different message after trying to reset the password.

"Cannot connect. Try connecting again." Screen shot attached.

 

Then, we reset the login with a temporary password that requires change upon next successful login.

 

The user login with the temporary password and entered the new password. Then, the same error message "Cannot connect. Try connecting again." would appear on the login web page.

 

The problem happens with Windows 10 and both IE11 and Edge browser. This environment is running NetScaler 10.5 with XenApp 6.0.

 

We troubleshot the problem with a PSO (Password Settings Object) on a specific a test login. Confirm the GPO resultant policy is applied correctly and cannot reproduce this issue with the test login.

 

Would there be any user specific browser.computer settings and GPO on the user domain A that would prevent them from resetting the Citrix domain B password? Any insights is appreciated.

 

Regards,

 

Sunny