When we use Citrix Gateway using Google reCAPTCHA plus Native OTP on the same login page, we may encounter login failure with the following configuration.
Login Schema:
add authentication loginSchema <login_schema> -authenticationSchema "/nsconfig/loginschema/DualAuthCaptcha3.xml" -SSOCredentials YES
Authentication Policy:
add authentication policylabel <LDAP_auth_pollabel> -loginSchema LSCHEMA_INT
add authentication policylabel <OTP_verify_pollabel> -loginSchema LSCHEMA_INT
bind authentication vserver <AAA_vserver_name> -policy <recaptcha_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <LDAP_auth_pollabel>
bind authentication policylabel <LDAP_auth_pollabel> -policyName <LDAP_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <OTP_verify_pollabel>
bind authentication policylabel <OTP_verify_pollabel> -policyName <OTP_verify_auth_pol> -priority 100 -gotoPriorityExpression NEXT
From nstrace, we noticed that NetScaler used OTP token as LDAP password when doing LDAP authentication
The issue is solved by specifying the password expression in the loginscame for LDAP and OTP verify authentication. The configuration is as below:
add authentication loginSchema LDAP_noSchema -authenticationSchema noschema -passwdExpression AAA.LOGIN.PASSWORD -passwordCredentialIndex 1 -SSOCredentials YES
add authentication policylabel <LDAP_auth_pollabel> -loginSchema LDAP_noSchema
=> Here we specifiy that NetScaler should use the first password AAA.LOGIN.PASSWORD to do LDAP authentication
add authentication loginSchema nativeOTP_verify_noschema -authenticationSchema noschema -passwdExpression AAA.LOGIN.PASSWORD2
add authentication policylabel <OTP_verify_pollabel> -loginSchema nativeOTP_verify_noschema
=> Here we specifiy that NetScaler should use the second password AAA.LOGIN.PASSWORD2 which is OTP token to do LDAP authentication
bind authentication vserver <AAA_vserver_name> -policy <recaptcha_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <LDAP_auth_pollabel>
bind authentication policylabel <LDAP_auth_pollabel> -policyName <LDAP_auth_pol> -priority 100 -gotoPriorityExpression NEXT -nextFactor <OTP_verify_pollabel>
bind authentication policylabel <OTP_verify_pollabel> -policyName <OTP_verify_auth_pol> -priority 100 -gotoPriorityExpression NEXT
Users may fail to log on Citrix Gateway using Google reCAPTCHA plus Native OTP on the same login page