After upgrading NetScaler to build 14.1 47.46 or 13.1 59.19 customers might experience issues with Authentication.This can manifest as a "broken" login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts.
Note : This behavior can possibly be due to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade.
Starting with NetScaler build 14.1.47.46 and 13.1.59.19, Content Security Policy (CSP) header is enabled by default as part of our ongoing secure by design and default initiative.
The CSP header helps mitigate risks associated with cross-site scripting (XSS), code injection, and other client-side attacks by controlling which resources are allowed to load in the browser. By restricting the execution of unauthorized scripts and external content, this policy significantly reduces the risk of browser based threats. However, it can inadvertently block legitimate scripts or resources loaded by DUO configuration based on Radius authentication , integrations, custom SAML setups, or other IDP configurations that are not compliant with the strict CSP rules.
To resolve this issue temporarily, you need to disable the default CSP header on your NetScaler appliance. After disabling, it's recommended to flush the cache to ensure the changes take effect immediately.
To ensure that your configurations work with CSP , please reach out to the support team so that we can identify the issue and fix it for your configuration.
Steps to Disable CSP Header:
Using Command Line Interface (CLI): Execute the following commands from Netscaler CLI:
set aaa parameter -defaultCSPHeader DISABLED
save ns config
Using Graphical User Interface (GUI):
Step 1: Log in to the NetScaler GUI.
Step 2: Navigate to NetScaler Gateway > Global Settings.
Step 3: Under the "Authentication Settings" section, click on Change authentication AAA settings.
Step 4: On the "Configure AAA Parameters" page, locate the Default CSP Header field. From the dropdown menu, select DISABLED.
Click OK to save the changes.
Post-Configuration Recommendation:
While enabling or disabling the default CSP policy, you are recommended to run the following command in the CLI
flush cache contentgroup loginstaticobjects
After performing the steps above, attempt to access your NetScaler Gateway authentication portal to validate if the issue is resolved.
After upgrading NetScaler to build 14.1 47.46 or 13.1 59.19 customers might experience issues with authentication
If the issue persists after following these steps, please reach out to Citrix Support for further assistance. Provide them with details of your configuration and the steps you have already taken.
Please reach out to the support team so that we can identify the issue with CSP and fix it for your configuration.
For more detailed information on Content Security Policy (CSP) headers and their function, please refer to the official Citrix documentation on the Content Security Policy response header.