How to Enable the Change Password Option For Citrix Gateway Users

How to Enable the Change Password Option For Citrix Gateway Users

book

Article ID: CTX219939

calendar_today

Updated On:

Description

Changing a Citrix Gateway user’s password can be either forced or user initiated. To force a change, use the procedure for changing the password of an AAA-TM user, as described in the article at CTX201133 - How to Change Password for LDAP Authentication for NetScaler Gateway and AAA-TM Users.

If you enable user-initiated password change, the Change Password option appears in the top-right corner of the portal page after a user logs on.

Use case

Citrix Gateway users would like to the option to change their own passwords, without any dependency on the admins.

Prerequisites

Before giving users the option to change their passwords, make sure that:

  • The basic Active Directory authentication is configured. See CTX108876 - How to Configure LDAP Authentication on a NetScaler Appliance.

    User-added image

  • Access to LDAP and Active Directory uses SSL (port 636).

    User-added image

  • A CitrixGateway virtual server is configured and bound to the LDAP policy.

    User-added image

Instructions

ADC GUI

To enable the change password option for Citrix Gateway users by using the NetScaler GUI:

  1. From ADC Configuration tab, navigate to Citrix Gateway > Virtual Servers and select the VPN virtual server for which to set the Change Password option.

    User-added image

  2. In the Basic Authentication section, click LDAP Policy.

    User-added image

  3. Select the LDAP Policy that you want to edit, and from the Select Action list, select Edit Server.

    User-added image

  4. Scroll down to Other Settings and select the Allow Password Change check box.

    User-added image

  5. Log on to a Citrix Gateway appliance managed by the virtual server that you've configured, and verify that the Change Password option appears at the top right of the screen.

    User-added image

ADC CLI

Enable the change password option for Citrix Gateway users using the command line:

  1. Open a command line editor, and log on to the ADC appliance:
    ssh nsroot@<NetScaler IP>

  2. In the editor, enter the following command:
    set authentication ldapaction <LdapServerName> passwdChange ENABLED
    For more information on this command refer to Citrix Documentation.

  3. Enter show authentication ldapaction <LdapServerName> and verify the configuration.

Example

User-added image

Issue/Introduction

This article describes how to enable the change password option For Citrix Gateway users.

Additional Information

Troubleshooting

  1. When you try to log on with a user who has an expired password, Citrix Gateway will present a prompt for changing password. This will be part of path https://FQDN/cgi/login. 

    User-added image

  2. During aaad.debug you might notice a message logged in different formats but that will have a code 773 as part of it, this code is the way that LDAP mentions the password must be changed. The following are two examples on how these messages might appear:
Example 1: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v2580>>
Example 2: receive_ldap_user_search_event expired AD password detected delaying update until user bind sends dos code 0x773

 

Powered by Wolken Software