Dual Password Field wrongly shows in First Authentication Prompt when connecting to NetScaler Gateway using Receiver

Dual Password Field wrongly shows in First Authentication Prompt when connecting to NetScaler Gateway using Receiver

book

Article ID: CTX203775

calendar_today

Updated On:

Description

Consider the following scenario, you are using LDAP + SMS passcode RADIUS authentication.

The behavior is that user will first authenticate to LDAP, and then an SMS passcode is sent to their mobile device, which is used for authentication. Unless the user is authenticated to LDAP first, they will not receive the SMS. This is a 2-step authentication. 

User-added image

On the NetScaler Gateway, if you enable primary authentication as LDAP and secondary authentication as RADIUS then the user is prompted for two passwords. This leads to a tricky situation since the user cannot obtain the SMS password until they authenticate once with LDAP.

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Resolution

This is a limitation, and you have to use RADIUS server and have authentication on RADIUS be done using Active Directory (LDAP).







Workaround 1

Complete the following steps to workaround this issue:

  1. Have two Authentication on the NetScaler Gateway - primary as LDAP and secondary as RADIUS.

    User-added image

  2. In the LDAP policy, uncheck Authentication and retain other settings as per your requirement.

    User-added image

  3. On NetScaler, you will only notice one password prompt during authentication in browser as well as Receiver.

    User-added image

  4. Once you will enter the username and password, the username will go to LDAP and you will no longer be prompted for authentication since authentication is unchecked. But because of group extraction, NetScaler will extract the username and password and after that it will go to RADIUS and will authenticate there. 

    You can verify the aaad.debug logs to check if group extraction happens along with RADIUS authentication:
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[370]: receive_ldap_user_search_event Binding user... 1 entries
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[395]: receive_ldap_user_search_event User DN= <<CN=farhan,CN=Users,DC=EMEA,DC=in>>
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[487]: receive_ldap_user_search_event built group string for farhan of:Group1
    Group2
    farhan-group
    Administrators
     
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[496]: receive_ldap_user_search_event AAA_LDAP_FLAGS_NO_AUTH: sending accept
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[2261]: send_accept sending accept to kernel for : farhan
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[858]: process_kernel_socket call to authenticate
    user :farhan, vsid :10913
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[3034]: start_cascade_auth starting cascade authentication
    Fri Nov 20 21:17:20 2015
    /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/radius_drv.c[771]: continue_radius_auth attempting to auth farhan @ 10.104.23.140
    
    
  5. In case if you still need the LDAP authentication for the user, then you can create a policy on the RADIUS server to authenticate the credentials passed by NetScaler with Active Directory.



 

​Workaround 2

 

The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receive

You may also add the following rewrite action which will modify the content of index.html file (similar to workaround 3) which is sent to the client (the original index.html remains the same):

add rewrite action RW_ACT_remove_pw2_receiver insert_after_all "http.res.body(1024)" q/"\r\n"+"<META http-equiv=\"X-Citrix-AM-GatewayAuthType\" content=\"SMS\">"/ -pattern "content=\"text/html; charset=UTF-8\">"
add rewrite policy RW_POL_remove_pw2_Receiver "http.req.url.path.endswith(\"vpn/index.html\")" RW_ACT_remove_pw2_receiver



 

Workaround 3

Complete the following steps to workaround this issue:
  1. The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receivers.

  2. Using WinSCP or any other SFTP tool, or using vi editor edit the /netscaler/ns_gui/vpn/index.html file.
  3. Add the following line to this file:
    <META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> below the line that reads <META http-equiv="Content-Type" content="text/html; charset=UTF-8">

    The following is an example for your reference:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    
    <head>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>Netscaler Gateway</title>
    <link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon">
    <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS">
    <META content=noindex,nofollow,noarchive name=robots>
    <link href="/vpn/js/rdx/core/css/rdx.css" rel="stylesheet" type="text/css"/>
    
    
  4. You can notice that the passcode field is hidden after making the preceding change:

  5. After entering the password, you are prompted for OTP passcode by RADIUS.

Issue/Introduction

Workarounds to Citrix Receiver incompatibility with 2-step verification during authentication.

Additional Information

In case you are using a browser then you can refer to one of the Citrix Blogs on customization which work with the browsers.