Keith Woznica1709151649 Posted November 11, 2013 Share Posted November 11, 2013 I currently have an issue with users who cannot login to the netscaler gateway due to a password expiration. If they attempt to login they receive the message which states "Incorrect Credentials" and are not prompted with the fact that their password expired nor can they change it. If I attempt to log into the traditional web interface the user is prompted to change their password due to expiration. How can I configure the netscaler gateway to allow the user to change their password once it has expired? I am running netscaler vpx in front of StoreFront 2.0 on windows server 2008 R2. Edited by: Keith Woznica on Nov 11, 2013 9:48 AM Link to comment Share on other sites More sharing options...
Shaun Ritchie Posted November 11, 2013 Share Posted November 11, 2013 If you check your LDAP server settings on your NetScaler Gateway appliances, scroll right down to the bottom of the settings page you will see an option "Allow Password Change". You need to be using LDAPs for this to work though. ---------- Shaun Ritchie [www.shaunritchie.co.uk|www.shaunritchie.co.uk] [Follow me on Twitter|www.twitter.com/shaunritchie_uk] 1 Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 11, 2013 Author Share Posted November 11, 2013 Shaun, I check the option for "Allow password change" and am now prompted to enter the new password. However after entering the new password the login screen will not accept it. I then went back to the web interface and found that they old password was still the password in effect because the web interface still forced me to change the password with the original password. It seems that even though I changed the password from the Netscaler gateway, the change was not passed along. How can I enable the netscaler gateway to update the password change to LDAP? Link to comment Share on other sites More sharing options...
Paul Blitz Posted November 14, 2013 Share Posted November 14, 2013 Setting the "allow password change", and using LDAPS / TLS will make NS send the changed password back to the LDAP server, which will then need the AD servers to propogate that change Of course, the Single SignOn happens pretty quickly fater that, and if the XenApp server that authenticates the WI authenticates to a DIFFERENT AD server, the password change might not yet have propogated over...... Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 14, 2013 Author Share Posted November 14, 2013 Paul, I changed the security type to TLS and then I don't even get prompted for a password change. The AD server is in the same LAN as the WI and Netscaler so I don't think propagation is an issue. When I change the security type back to PLAINTEXT I am prompted for a password. The test account i am attempting to log in as is not locked. My LDAP settings are as follows. Type = AD Port = 389 Validate LDAP Server Certificate = NOT Checked Server Logon Name Attribute = samAccountName Group Attribute = memberOf Sub Attribute Name = CN Security Type = PLAINTEXT Authentication = CHECKED User Required = CHECKED Allow Password Change = CHECKED Is there anything you see in those settings which may be incorrect? Link to comment Share on other sites More sharing options...
Shaun Ritchie Posted November 14, 2013 Share Posted November 14, 2013 LDAPS doesn't use port 389, it uses 636. And if you are using LDAPS you will need to have a certificate on your domain controller and the root cert on your NetScaler. These might help you.http://support.citrix.com/article/CTX133893http://www.whitehatvirtual.com/blog/bid/310695/How-to-Implement-LDAPS-or-SSL-for-Netscaler-Authentications-to-AD ---------- Shaun Ritchie [www.shaunritchie.co.uk|www.shaunritchie.co.uk] [Follow me on Twitter|www.twitter.com/shaunritchie_uk] Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 14, 2013 Author Share Posted November 14, 2013 Shaun, Just to get this to work is LDAPS required? I'm in a proof of concept right now with the product so I just need to make it function before I am concerned about security. Thanks for your input. Link to comment Share on other sites More sharing options...
CarlStalhood Posted November 14, 2013 Share Posted November 14, 2013 Encrypted LDAP is a Microsoft requirement for updating passwords in Active Directory. http://msdn.microsoft.com/en-us/library/windows/desktop/aa746487(v=vs.85).aspx. It's not specific to NetScaler. Link to comment Share on other sites More sharing options...
Paul Blitz Posted November 15, 2013 Share Posted November 15, 2013 and encrypted LDAP = either LDAPS on port 636, or LDAP with Start-TLS on port 389. Obviously the AD server and the Netscaler need to use the same thing! Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 15, 2013 Author Share Posted November 15, 2013 Ok, i'll give this a try and see how it goes. Basically I will have to create a CA on a NON Domain Controller Server. Then I need to export the certificate and bring it into Netscaler. A couple of questions then regarding this. 1.) I don't see a place in netscaler vpx for configuring a service as described in CTX133893. Can someone point out where that applet is located? 2.) How come I never had to create a CA for the web interface to allow for passwords to change? Thanks for the reply. Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 15, 2013 Author Share Posted November 15, 2013 would following this procedure be appropriate for the domain controller authentication certificate template?http://technet.microsoft.com/en-us/library/cc731183.aspx Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 16, 2013 Author Share Posted November 16, 2013 I built a new CA server in my domain but I'm getting stuck with it when I click on New --> certificate template to issue --> the enable certificates template appears however I do not see Domain Controller Authentication as an option. I do see Domain Controller Authentication when I have Certificate Templates selected in the left pane. Why do I not see it when I click Certificate template to issue? Link to comment Share on other sites More sharing options...
Jarian Gibson Posted November 16, 2013 Share Posted November 16, 2013 Is the CA server using AD CA services? If so it will pull a cert and you can use TLS on 389 with change password. Link to comment Share on other sites More sharing options...
Keith Woznica1709151649 Posted November 17, 2013 Author Share Posted November 17, 2013 Is the CA server using AD CA services? If so it will pull a cert and you can use TLS on 389 with change password. I just installed the CA server Friday night and set it up to use AD CA services during Role selection. When I went to enable the Domain Controller Authentication I did not see the template listed. I am going through this procedure based on the below blog. http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html?showComment=1384573788218#c6613197144137500570 Is there a way to add the template into the list of available templates to issue on the CA? Link to comment Share on other sites More sharing options...
Scott Barnett1709154172 Posted June 17, 2014 Share Posted June 17, 2014 Setting the "allow password change", and using LDAPS / TLS will make NS send the changed password back to the LDAP server, which will then need the AD servers to propogate that change Of course, the Single SignOn happens pretty quickly fater that, and if the XenApp server that authenticates the WI authenticates to a DIFFERENT AD server, the password change might not yet have propogated over...... Hi Paul, We are seeing a similar issue to the one you describe as "slow propogation". Mostly it works fine. Rarely if ever an issue, but seemingly at times there is an increase in regularity. We are load balancing 3 domain controllers using LDAPS/636. Upon a users password needing to be change via AG on the Netscaler 9.3.56.5.nc, the user changes the password. The change is successful, but they are not forwarded to the AG homepage as is usually the case, but snet back to the logon screen with the "red X" showing "invalid credentials". However, the old password no longer works and the new password gets them into the AG homepage upon subsequent logon. I have run aaad.debug along with packet capture and compared to AD logs. It seems there is a failed logon in the AD log after the password change, but the subsequent logon attempt shows a normal log response. I have had this ticket open for over a year here, but it happens so few and far between I have not been able to capture enough info nor figure out a viable remedy. Likewise, rather vague LDAP does not return a detailed error message to the NS in the aaad.debug. Is there a timer value that can be increased on the NS after the password change so as to wait a little longer before trying to authenticate using the new password the user just entered? Link to comment Share on other sites More sharing options...
Lars Kvorning Posted August 13, 2014 Share Posted August 13, 2014 Hi Scott, We are seeing the similar problem: The change is successful, but they are not forwarded to the AG homepage as is usually the case, but snet back to the logon screen with the "red X" showing "invalid credentials". However, the old password no longer works and the new password gets them into the AG homepage upon subsequent logon. Have you any news to this case? Thank you in advance. Link to comment Share on other sites More sharing options...
Brooks Carlson Posted August 13, 2014 Share Posted August 13, 2014 Password change throught the Netscaler Gateway has always been a bit confusing. The requirements for password change are very clear: - you must be using Secure LDAP 636 (note the global catalog port will not work) - the "Allow Password Change" button must be selected in the LDAP profile Assuming those requirements are met the next things to consider are that there are only two times users can change their password: -when the password naturally expires -when accounts are set to allow password change on first logon in windows AD This is really the part that can cause issues. The Netscaler is not a full LDAP server/agent and if you have certain password requirements such as: -must meet complexity requirements -minimum password length -password has been used in the last x # of months The Netscaler isn't capable of telling the person trying to change their passwords that the reason it isn't working is because (for example) the password doesn't meet complexity requirements. If you were running a aaad.debug while watching the connection audit you would see that message, but it isn't passed to the person trying to log on. The other issue is what I believe Paul Blitz was speaking of- sometimes the password change doesn't get synced as quickly as other applications and you may wind up seeing what Paul was talking about. Link to comment Share on other sites More sharing options...
Raphael Muench Posted October 6, 2014 Share Posted October 6, 2014 Hello Brooks, your statements about missing capabilities in the netscaler - to inform a user about what exactly went wrong when setting a new password - are still present and unsolved ? That means there's no workaround within netscaler to inform a user about the correct password requirements ? So what to do ? Tell him the exact requirements within a manual or run-up to a training ? Thanks in advance, Raphael Link to comment Share on other sites More sharing options...
Raphael Muench1709154698 Posted October 6, 2014 Share Posted October 6, 2014 hi! is it possible to edit the Change_Password Site and put there a html text about the Password requirements ? Thanks, Raphael Link to comment Share on other sites More sharing options...
Josh Nocita Posted December 11, 2014 Share Posted December 11, 2014 Over 1000 users to communicate the complexity requirements to and train every 90 days when they forget. This cannot be right! Has anyone found a solution to this issue? Link to comment Share on other sites More sharing options...
Paul Blitz Posted December 16, 2014 Share Posted December 16, 2014 Unfortunately, the LDAP on Netscaler *is* very limited.... and the ability to change password is rather restricted (and to be honest, it's about time Citrix improved things a bit!).... with no advice / enforcement of password complexity etc. Which means you can get a situation where a user password expires, they enter an unsuitable new password, and they are then locked out! Of course, you could always modify the relevant login page to include some notes on what is required when choosing a new password. @Scott: your description of the sequence sounds logical to me: user attempts a login, are required to change the password, and then must use that new password to login. Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 16, 2014 Share Posted December 16, 2014 You can try Enhanced Authentication Feedback - http://blogs.citrix.com/2014/06/11/enhanced-authentication-feedback/ Link to comment Share on other sites More sharing options...
Joe Marriott Posted March 12, 2015 Share Posted March 12, 2015 the following should provide feedback for password complexity requirements. Tested with 10.5 firmware, and using 'green bubble' theme. set aaa parameter -enableStaticPageCaching NOadd rewrite action custom_aaa_change_password_failed_rwact1 replace_all "HTTP.RES.BODY(120000)" q{"<String id=\"errorMessageLabelMax\">4016</String>"} -pattern "<String id=\"errorMessageLabelMax\">4015</String>"add rewrite action custom_aaa_change_password_failed_rwact2 insert_after_all "HTTP.RES.BODY(120000)" q{"<String id=\"errorMessageLabel4016\">Password change failed. Please login again using your old password, then when prompted for a new password, ensure it meets the required complexity requirements.</String>"} -pattern "<String id=\"errorMessageLabel4015\">Your account is temporarily locked. </String>"add rewrite action custom_aaa_change_password_notification_rwact replace_all "HTTP.RES.BODY(120000)" "\"Password reset required. Please enter a new password that is at least 8 characters in length, contains at least 1 number, contains at least 1 lowercase letter, contains at least 1 UPPER case letter, and is different than the previous 24 passwords\"" -pattern "Password Expired. Please enter a new password"add rewrite policy custom_aaa_change_password_notification_rwpol "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_notification_rwactadd rewrite policy custom_aaa_change_password_failed_rwpol1 "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_failed_rwact1add rewrite policy custom_aaa_change_password_failed_rwpol2 "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).EQ(\"/vpn/resources/en.xml\")" custom_aaa_change_password_failed_rwact2add rewrite policylabel custom_aaa_change_password_rwpollbl http_resbind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_notification_rwpol 100 NEXTbind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_failed_rwpol1 110 NEXTbind rewrite policylabel custom_aaa_change_password_rwpollbl custom_aaa_change_password_failed_rwpol2 120 NEXTbind rewrite global NOPOLICY 140 NEXT -type RES_OVERRIDE -invoke policylabel custom_aaa_change_password_rwpollbl Reboot the netscaler after running these commands as the en.xml file is usually cached statically in memory Joe Marriott Link to comment Share on other sites More sharing options...
Sanjith Abraham1709153204 Posted December 7, 2015 Share Posted December 7, 2015 Hi Joe, what to edit in en.xml file directly instead of using this rewrite ? Link to comment Share on other sites More sharing options...
Sunny Ko Posted December 4, 2017 Share Posted December 4, 2017 Dear All, Need help on a variation of this problem. Some users cannot reset password after their passwords are expired. They received a different message after trying to reset the password. "Cannot connect. Try connecting again." Screen shot attached. Then, we reset the login with a temporary password that requires change upon next successful login. The user login with the temporary password and entered the new password. Then, the same error message "Cannot connect. Try connecting again." would appear on the login web page. The problem happens with Windows 10 and both IE11 and Edge browser. This environment is running NetScaler 10.5 with XenApp 6.0. We troubleshot the problem with a PSO (Password Settings Object) on a specific a test login. Confirm the GPO resultant policy is applied correctly and cannot reproduce this issue with the test login. Would there be any user specific browser.computer settings and GPO on the user domain A that would prevent them from resetting the Citrix domain B password? Any insights is appreciated. Regards, Sunny Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now