SSO Failiure for Form Based Authentication

book

Article ID: CTX231561

calendar_today

Updated On:

Description

SSO is failing and website is asking for passwords twice. however in aaad.debug we see that the authentication is successful.
aaad logs:
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[107]: start_ldap_auth 0-523: Starting LDAP auth
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[131]: start_ldap_auth 0-523: attempting to do ldap auth for testuser.local @ 1.1.1.1
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[133]: start_ldap_auth 0-523: LDAP referrals are OFF
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[134]: start_ldap_auth 0-523: LDAP referral nesting depth 0
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[721]: continue_ldap_init 0-523: Connecting to: 1.1.1.1:389
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[727]: continue_ldap_init 0-523: User testuser.local Connecting to: 1.1.1.1:389
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4119]: register_timer 0-523: setting timer 32
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4196]: unregister_timer 0-523: releasing timer 32
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[801]: ns_ldap_set_up_socket 0-523: Server certificate hostname = NULL
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[809]: ns_ldap_set_up_socket 0-523: Setting timeouts for SSL/TLS.
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[846]: ns_ldap_set_up_socket 0-523: Set cert verify level 0
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[849]: ns_ldap_set_up_socket 0-523: Getting cipher suite global value
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[852]: ns_ldap_set_up_socket 0-523: Checking non-zero cipher suite
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[862]: ns_ldap_set_up_socket 0-523: NULL cipher suite. Using default.
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[868]: ns_ldap_set_up_socket 0-523: Freeing cipher suite value
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[875]: ns_ldap_set_up_socket 0-523: Done with cipher suite
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[929]: ns_ldap_set_up_socket 0-523: Starting TLS to : 1.1.1.1:389
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[949]: ns_ldap_set_up_socket 0-523: Successfully established connection to NULL
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4119]: register_timer 0-523: setting timer 33
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[187]: receive_ldap_bind_event 0-523: receive ldap bind event
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[398]: ns_ldap_check_result 0-523: checking LDAP result. Expecting 97 (LDAP_RES_BIND)
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[436]: ns_ldap_check_result 0-523: ldap_result found expected result LDAP_RES_BIND
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[199]: receive_ldap_bind_event 0-523: Bind OK
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4196]: unregister_timer 0-523: releasing timer 33
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[268]: receive_ldap_bind_event 0-523: Original slen: 18
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[292]: receive_ldap_bind_event 0-523: User name: dirty = <testuser.local> sanitized = <testuser.local>
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[294]: receive_ldap_bind_event 0-523: Admin bind successful, attempting user search event for testuser.local
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[1078]: ns_ldap_search 0-523: Searching for <<(& (sAMAccountName=testuser.local) (objectClass=*))>> from base <<OU=Citrix,OU=LAB,DC=reproduction,DC=COM>>
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4119]: register_timer 0-523: setting timer 34
Wed Jan 10 10:45:12 2018
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[387]: receive_ldap_user_search_event 0-523: Binding user... 1 entries
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[388]: receive_ldap_user_search_event 0-523: Admin authentication(Bind) succeeded, now attempting to search the user testuser.local
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[414]: receive_ldap_user_search_event 0-523: User DN= <<CN=testuser local,OU=Level10, OU=Citrix, OU=LAB, DC=reproduction, DC=COM>>
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[584]: extract_ldap_attribute 0-523: retrieved cn value testuser local for testuser.local, length is 18
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[515]: receive_ldap_user_search_event 0-523: For user testuser.local, group stringLength 7
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[524]: receive_ldap_user_search_event 0-523: built group string for testuser.local of:TestGroup

Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[555]: receive_ldap_user_search_event 0-523: User search succeeded, attempting user authentication(Bind) for <testuser.local>
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4119]: register_timer 0-523: setting timer 35
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[841]: receive_ldap_user_bind_event 0-523: Got user bind event.
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[398]: ns_ldap_check_result 0-523: checking LDAP result. Expecting 97 (LDAP_RES_BIND)
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_common.c[436]: ns_ldap_check_result 0-523: ldap_result found expected result LDAP_RES_BIND
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[850]: receive_ldap_user_bind_event 0-523: Bind OK.
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[4196]: unregister_timer 0-523: releasing timer 35
Wed Jan 10 10:45:12 2018
/home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[944]: receive_ldap_user_bind_event 0-523: User authentication (Bind event) for user testuser.local succeeded

LDAP action is configured to set CN as ssoNameAttribute:
add authentication ldapAction SRV_LDAP_LAB -serverIP 1.1.1.1 -ldapBase "OU=Citrix,OU=LAB,DC=reproduction,DC=COM" -ldapBindDn "CN=TEST_Netscaler_LDAP,OU=Citrix,OU=LAB,DC=reproduction,DC=COM" -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName CN -secType TLS -ssoNameAttribute CN

Resolution

Under the LDAP policy action Change the ssoNameAttribute to either sAMAccountName or set it to blank(default) which will forward the username provided by the client itself.

Problem Cause

Customer has ssoNameAttribute configured as CN however we see that the CN is different from the login username of the customer, in the above example:
username : "testuser.local"
CN retrived from LDAP: "testuser local"
There is an extra space character in the CN retrieved, so the sso will fail when an ssoNameAttribute is configured with such a field which is not acceptable by the backend server.

Issue/Introduction

Form based authentication fails when CN is configured as ssoNameAttribute.

Additional Information

How to Configure NetScaler Gateway for Single Sign-On to a Web Form

https://support.citrix.com/article/CTX200589

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"