How to Enable and Customize Enhanced Security Feedback Messages on NetScaler

How to Enable and Customize Enhanced Security Feedback Messages on NetScaler

book

Article ID: CTX223404

calendar_today

Updated On:

Description

This article describes how to enable and customize enhanced security feedback messages on NetScaler.

Background

By default, when a user authenticates NetScaler/NetScaler Gateway and fails, the only message returned is 'Incorrect user name or password'. Whereas, the reason could be entirely different, for example a disabled account, expired password. This is why the Enhanced Authentication Feedback option could prove useful because they will give a more granular reason as to the failures.

Instructions

Caution! Citrix does not support or assist with this configuration. Perform this modification at your own risk. If you do proceed, make sure to always take a backup before changing a live environment.

'Enhanced Authentication Feedback' is a NetScaler option disabled by default which provides more information to the end user about the reason for an authentication failure.

On the other hand, a security risk is included when enabling this option. Once this option is enabled it will be easier for an attacker to identify if a user account does not exist for example.

To enable, via CLI run command set aaa param -enableEnhancedAuthFeedback or via GUI navigate to NetScaler Gateway -> Global Settings -> Change authentication AAA settings -> Enable Enhanced Authentication Feedback.

GUI1

GUI2

The following is a list of error codes and supported reasons:
  • 4001 – Invalid credentials. Catch-all error from previous versions. (Incorrect credentials. Try again.)
  • 4002 – Login not permitted. Catch-all error from previous version. (You do not have permission to log on at this time.)
  • 4003 – Server timeout. (Cannot connect to server. Try connecting again in a few minutes.)
  • 4004 – System error. (Cannot connect. Try connecting again.)
  • 4005 – Socket error talking to authentication server. (Cannot connect. Try connecting again.)
  • 4006 – Bad (format) user passed to nsaaad. (Incorrect user name.)
  • 4007 – Bad (format) password passed to nsaaad. (Incorrect password.)
  • 4008 – Password mismatch (when entering new password). (Passwords do not match.)
  • 4009 – User not found. (User not found.)
  • 4010 – Restricted login hours. (You do not have permission to log on at this time.)
  • 4011 – Account disabled. (Your account is disabled.)
  • 4012 – Password expired. (Your password has expired.)
  • 4013 – No dial-in permission (RADIUS specific). (You do not have permission to log on.)
  • 4014 – Error changing password. (Could not change your password.)
  • 4015 – Account locked. (Your account is temporarily locked.)
  • 4016 – User password complexity requirement not met when changing password. (Could not update your password. The password must meet the length, complexity, and history requirements of the domain.)

Now, some admin might want to change the message returned from the NetScaler.

For Basic Authentication Policies:

Open up WinSCP or similar, browse to and edit the following file:

NS11+ – /var/netscaler/logon/themes/<Name_of_Theme>/resources/en.xml

Note: If you have a custom theme, replace <Name_of_Theme> with the whatever name you had specified during theme creation.

Edit the en.xml file change any of the values then save en.xml.

User-added image

User-added image


For Advanced Authentication Policies:

Open up WinSCP or similar, browse to and edit the following file:

NS11+ – /var/netscaler/logon/themes/<Name_of_Theme>/strings.en.json 

Note: If you have a custom theme, replace <Name_of_Theme> with the whatever name you had specified during theme creation.
If using RfWebUI, then edit /var/netscaler/logon/LogonPoint/custom/strings.en.json 

Edit the strings.en.json file change any of the values then save strings.en.json.
User-added image
 

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article describes how to enable and customize enhanced security feedback messages on NetScaler.
Powered by Wolken Software