Change of Expired LDAP Password on NetScaler During Log On Fails Intermittently

Change of Expired LDAP Password on NetScaler During Log On Fails Intermittently

book

Article ID: CTX221846

calendar_today

Updated On:

Description

Changing the expired LDAP password at the time of user login via NetScaler Gateway (due to password-expiry) may fail and demonstrate itself on the login page as:
"Incorrect credentials. Try again."

User-added image

or "Cannot connect. Try connecting again." if Enhanced Authentication Feedback is enabled:

User-added image

At the time of the issue, syslog information in /var/log/ns.log file contains similar entries: 

..
Syslog 232 LOCAL0.ERR:  02/17/2017:14:46:33 GMT ns1 0-PPE-0 : default AAA Message 2266162 0 :  " In receive_ldap_user_bind_event: ldap_bind user failed for user user1"
Syslog 234 LOCAL0.ERR:  02/17/2017:14:46:33 GMT ns1 0-PPE-0 : default AAA Message 2266163 0 :  "In receive_ldap_user_bind_event: user user1 password needs to be changed"
Syslog 231 LOCAL0.INFO:  02/17/2017:14:46:40 GMT ns1 0-PPE-0 : default AAA Message 2266165 0 :  "In update_aaa_cntr: Failed policy for user user1 = contoso.com.DC-LDAP"
Syslog 342 LOCAL0.WARNING:  02/17/2017:14:46:40 GMT ns1 0-PPE-0 : default AAA LOGIN_FAILED 2266166 0 :  User user1 - Client_ip x.x.33.30 - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Syslog 207 LOCAL0.ERR:  02/17/2017:14:46:40 GMT ns1 0-PPE-0 : default AAA Message 2266167 0 :  "In unicode_ber: Invalid UTF-8 character input"
Syslog 256 LOCAL0.ERR:  02/17/2017:14:46:40 GMT ns1 0-PPE-0 : default AAA Message 2266168 0 :  "While changing password (ns_ldap_change_password): error unicoding new password for user user1"
...

The output of debug command: #cat /tmp/aaad.debug contains the following entry:

.....
 /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/ldap_drv.c[1633]: unicode_ber Invalid UTF-8 character input
Fri Feb 17 14:46:40 2017
 /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/ldap_common.c[1104]: ns_ldap_change_password error unicoding new password
Fri Feb 17 14:46:40 2017
 /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/naaad.c[2587]: send_reject_with_code Rejecting with error code 4004

Resolution

This is known issue investigated and tracked as Issue ID#0672846.

There is no workaround on how to mitigate this. End user may need to choose another password.

Root cause has been found and fix is targeted for the following NetScaler releases:

  • 11.1-55.x MR - Available on Citrix download page here .

This article will be further updated with changes to above release dates if any. 

Problem Cause

Issue was found in one of the functions used to store / duplicate password strings in a structure used by authentication module.
When using that function and later encrypting given password, the resultant encrypted string sometimes contained a pattern that caused some bytes of the password not copied, and resulted in wrong string passed into internal ldap password change function.

Issue/Introduction

Changing the expired LDAP password at the time of user login via NetScaler Gateway (due to password-expiry) may fail and demonstrate itself on the login page as: "Incorrect credentials. Try again."

Additional Information

This issue may occur:

  • after the reboot of the NetScaler appliance (reboot may not be applicable as a workaround),
  • regardless of whether the new password does contain symbols/special characters or not.
  • regardless of Default or Custom UI Theme is being used
Powered by Wolken Software