Device Certificate Authentication with Green Bubble Theme Fails

Device Certificate Authentication with Green Bubble Theme Fails

book

Article ID: CTX222284

calendar_today

Updated On:

Description

After Selecting Device Certificate from the client machine a 403 Forbidden Error is seen

Resolution

  • We will need to make changes to the file “ctxs.authentication.css” which is under the /var/netscaler/gui/vpn/css directory as shown below.
     
    /*#logonbelt-topshadow {
        background: url("../../../media/Screen_shadow_top.png") no-repeat transparent;
            position: relative;
            top: 205px;
            margin: 0 auto;
            width: 1009px;
            height: 15px;
    }
     
    #logonbelt-bottomshadow {
        background: url("../../../media/Screen_shadow_bottom.png") no-repeat transparent;
            position: relative;
            bottom: 0;
            margin: 205px auto 0;
            width: 1009px;
            height: 15px;
    }*/
  • The above script portion needs to be commented out
     

Problem Cause

The Device Cert Authentication Fails with Green Bubble theme because of the fact that we do not retain the NSC_EPAC Cookie since the above 2 request results in a 302 Redirect from the NetScaler which eventually resets the NSC_EPAC Cookie  as shown below.
 
GET /media/Screen_shadow_top.png HTTP/1.1
Host: FQDN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://fqdn
Cookie: NSC_EPAC=a9e4ea61badd278b6fd18837c7ba87cd
Connection: keep-alive
 
 
 
HTTP/1.1 302 Object Moved
Location: /vpn/index.html
Set-Cookie:NSC_EPAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure
Set-Cookie:NSC_FSRD=xyz;Secure;HttpOnly;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT
Connection: close
Content-Length:534
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
 
<html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><script type="text/javascript" src="/vpn/resources.js"></script><script type="text/javascript" language="javascript">var Resources = new ResourceManager("/vpn/resources/{lang}", "REDIRECTION_BODY");</script></head><body><span id="This object may be found "></span><a href="/vpn/index.html"><span id="here"></span></a><span id="Trailing phrase after here"></span><script type="text/javascript" language="javascript">Resources.Load();</script></body></html>
 
 
GET /media/Screen_shadow_bottom.png HTTP/1.1
Host: fqdn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://fqdn
Cookie: NSC_EPAC=a9e4ea61badd278b6fd18837c7ba87cd
Connection: keep-alive
 
 
 
HTTP/1.1 302 Object Moved
Location: /vpn/index.html
Set-Cookie:NSC_EPAC=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure
Set-Cookie:NSC_FSRD=xyz;Secure;HttpOnly;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT
Connection: close
Content-Length:534
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
 
<html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><script type="text/javascript" src="/vpn/resources.js"></script><script type="text/javascript" language="javascript">var Resources = new ResourceManager("/vpn/resources/{lang}", "REDIRECTION_BODY");</script></head><body><span id="This object may be found "></span><a href="/vpn/index.html"><span id="here"></span></a><span id="Trailing phrase after here"></span><script type="text/javascript" language="javascript">Resources.Load();</script></body></html>
 
Since there is no NSC_EPAC Cookie in the subsequent request NetScaler Provides a new Cookie and expects the device cert to be sent again but we never do the device cert authentication again and use the new cookie in the POST /cgi/login request which results in 403 forbidden error as shown below.
 
POST /cgi/login HTTP/1.1
Host: fqdn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://fqdn
Cookie: NSC_EPAC=460bf477eb6a5abcefba8120dda987cd
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
login=user&passwd=passwd
 
 
HTTP/1.1 403 Access Forbidden
Connection: close
Content-Length: 29
Content-Type: text/html
Cache-Control: no-cache,no-store
Pragma: no-cache
 
Error: Not a privileged User.
 
Powered by Wolken Software