NetScaler-13.1-Users failed to log on Citrix Gateway using Google reCAPTCHA plus Native OTP with "Invalid username or password"

book

Article ID: CTX694940

calendar_today

Updated On:

Description

When we use Citrix Gateway using Google reCAPTCHA plus Native OTP on the same login page, we may encounter login failure with the following configuration.

 

Login Schema:

add authentication loginSchema <login_schema> -authenticationSchema "/nsconfig/loginschema/DualAuthCaptcha3.xml" -SSOCredentials YES

 

Authentication Policy:

add authentication policylabel <LDAP_auth_pollabel> -loginSchema LSCHEMA_INT
add authentication policylabel <OTP_verify_pollabel> -loginSchema LSCHEMA_INT

bind authentication vserver <AAA_vserver_name> -policy <recaptcha_auth_pol> -priority 100  -gotoPriorityExpression NEXT -nextFactor <LDAP_auth_pollabel>
bind authentication policylabel <LDAP_auth_pollabel> -policyName <LDAP_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <OTP_verify_pollabel>
bind authentication policylabel <OTP_verify_pollabel> -policyName <OTP_verify_auth_pol> -priority 100 -gotoPriorityExpression NEXT

 

 

Cause

From nstrace, we noticed that NetScaler used OTP token as LDAP password when doing LDAP authentication

Resolution

The issue is solved by specifying the password expression in the loginscame for LDAP and OTP verify authentication. The configuration is as below:

add authentication loginSchema LDAP_noSchema -authenticationSchema noschema -passwdExpression AAA.LOGIN.PASSWORD -passwordCredentialIndex 1 -SSOCredentials YES 
add authentication policylabel <LDAP_auth_pollabel> -loginSchema LDAP_noSchema
=> Here we specifiy that NetScaler should use the first password AAA.LOGIN.PASSWORD to do LDAP authentication

add authentication loginSchema nativeOTP_verify_noschema -authenticationSchema noschema -passwdExpression AAA.LOGIN.PASSWORD2 
add authentication policylabel <OTP_verify_pollabel> -loginSchema nativeOTP_verify_noschema
=> Here we specifiy that NetScaler should use the second password AAA.LOGIN.PASSWORD2 which is OTP token to do LDAP authentication

bind authentication vserver <AAA_vserver_name> -policy <recaptcha_auth_pol> -priority 100  -gotoPriorityExpression NEXT -nextFactor <LDAP_auth_pollabel>
bind authentication policylabel <LDAP_auth_pollabel> -policyName <LDAP_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <OTP_verify_pollabel>
bind authentication policylabel <OTP_verify_pollabel> -policyName <OTP_verify_auth_pol> -priority 100 -gotoPriorityExpression NEXT

Issue/Introduction

Users may fail to log on Citrix Gateway using Google reCAPTCHA plus Native OTP on the same login page