How to Change Password for LDAP Authentication for NetScaler Gateway and AAA-TM Users

How to Change Password for LDAP Authentication for NetScaler Gateway and AAA-TM Users

book

Article ID: CTX201133

calendar_today

Updated On:

Description

This article provides information on how LDAP password change can be achieved for NetScaler Gateway and AAA-TM users.

Prerequisite

NetScaler 10.1.x onwards

Instructions

Configuration

The following are the parameters that are required to be configured on ldapaction on NetScaler for password change:

  • -ldapport (SSL Port:636 or TLS:389)

  • -sectype (SSL)

  • -passwdChange ENABLED

add authentication ldapAction ldap22s -serverIP 10.102.229.222 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm-test,dc=com" -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute samAccountName  -secType SSL -serverPort 636 -passwordchange ENABLED

Password Change for AAA-TM User

The password change for AAA-TM users can be achieved using force password change. In Active Directory (AD), check the option User must change password at next logon as shown in the following screen shot:

User-added image

After providing the user credentials on the initial logon screen, you will see password change screens as shown in the following screen shots:

User-added image

User-added image

Aaad Debug O/P Snippet (in case of successful password change)

root@ns# cat /tmp/aaad.debug
/usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[134]: start_ldap_auth attempting to auth usertest @ 10.102.229.222
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[137]: start_ldap_auth LDAP referrals are OFF
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[743]: ns_ldap_set_up_socket Setting timeouts for SSL/TLS.
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[845]: ns_ldap_set_up_socket Starting TLS to : 10.102.229.222:389
/usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[187]: receive_ldap_bind_event receive ldap bind event
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[198]: receive_ldap_bind_event Bind OK
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[984]: ns_ldap_search Searching for <<(& (sAMAccountName=usertest) (objectClass=*))>> from base <<dc=aaatm-test,dc=com>>
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1008]: ns_ldap_search Sent user search query.
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[330]: receive_ldap_user_search_event Received LDAP user search event.
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[342]: receive_ldap_user_search_event received LDAP_OK
/usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[395]: receive_ldap_user_search_event User DN= <<CN=usertest,CN=Users,DC=aaatm-test,DC=com>>
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[430]: receive_ldap_user_search_event expired AD password detected delaying update until user bind sends dos code 0x773
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[784]: receive_ldap_user_bind_event Got user bind event.
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[836]: receive_ldap_user_bind_event Password expired?
Fri May 22 04:19:49 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[839]: receive_ldap_user_bind_event rebinding
Fri May 22 04:20:03 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1075]: ns_ldap_change_password change pwd on AD for attribute: UnicodePwd
Fri May 22 04:20:03 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1732]: ldap_finish_confirm_password sent ldap modify
Fri May 22 04:20:03 2015
 /usr/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1877]: receive_ldap_passwd_modify_event password modifed success, authenticated

Password Change for NetScaler Gateway

There are two password change options for NetScaler Gateway users:

1. User-Initiated Password Change

Apply the configuration and after log on, users will see the "Change Password" option at the top-right corner of the portal page as shows in the following screen shot:
Note: Download the images to view them at full resolution.

User-added image

2. Force Password Change

This is same as Password Change for AAA-TM User (refer to the preceding section).

Note: 
If we want to use force password change option and using ( NetScaler Gateway + Storefront Integrated ) then changes need to be made on the storefront also. 

Storefront : 
Manage Password Options to allow users to change passwords at any time ( This option is available only when the StoreFront base URL is HTTPS (not HTTP)

Configure the authentication service : https://docs.citrix.com/en-us/storefront/3-5/configure-authentication-and-delegation/sf-configure-auth-service.html 

LDAP Referral Password Change

For information on password change in a multi-domain AD forest using ldap referral, refer to CTX200506 - How to Change Password through NetScaler in a Multi-Domain Active Directory Forest Using LDAP Referral.

 

Issue/Introduction

This article provides information on how LDAP password change can be achieved for NetScaler Gateway and AAA-TM users.

Additional Information

CTX233023 - [NetScaler Gateway Trace Study] – Secure LDAP Password Change

Powered by Wolken Software