[NetScaler] Error "KB Questions and Asnwers not registered" with LDAP KBAttribute

[NetScaler] Error "KB Questions and Asnwers not registered" with LDAP KBAttribute

book

Article ID: CTX493612

calendar_today

Updated On:

Description

In a SSPR nFactor configuration. You may observe error "KB Questions and Asnwers not registered" when login with LDAP password and can't move to the next AAA factor. Triggers are: 

  • The LDAP factor has noschema bound (Inherits username & password from a previous factor). 
  • LDAP action has KBAttribute defined. 
  • User hasn't registered KBA. 

Background: 
In SSPR, we may want to switch to KBA register factor if user hasn't registered by checking kba_registered attribute.  
AAA.USER.ATTRIBUTE("kba_registered").EQ("0")

kba_registered is assigned with value 1 when we get expected attribute value from LDAP server, which is defined in "KBAttribute" of a previous LDAP action. And the LDAP auth factor may inherit the password from a previous factor. For example, the following nFactor flow can cause the issue.  
Root factor: Root_Start
	Login Schema = SSPR_2FA_LoginSchema
	Adv Authn Policy = Radius_Pol
		Rule  = true
		Action = Radius_Act
		Next Factor if Success = LDAP_Factor
			Login Schema = noschema_LDAP		// Inherit the password from previous factor with "password expression". 
			Adv Authn Policy = LDAP_Pol
				Rule = true 
				Action = LDAP_Act	// Has -KBAttribute defined to check if user has register KBA. Issue happens at this factor
				Next Factor if Success = Check_for_KBA_Registration
					Login Schema = LSCHEMA_INT
					Adv Authn Policy = Check_KBA_Value_Pol
						Rule = AAA.USER.ATTRIBUTE("kba_registered").EQ("0")
						Action = NO_AUTHN
						Next Factor if Success = Do_KBA_Register
							// Skip...
					Adv Authn Policy = Allow_Pol
						Rule = true
						Action = NO_AUTHN


 

Resolution

Configure a No_Authentication with KBAttribute LDAP policy in the factor where login schema is bound. That can get kba_registered assigned in advance. We can change previous nFactor flow example as the following:  
Root factor: Root_Start
	Login Schema = SSPR_2FA_LoginSchema
	Adv Authn Policy = LDAP_Pol_NoAuthn_w_KBAttr
		Rule  = true
		Action = LDAP_Act_NoAuthn_w_KBAttr	// Uncheck "Authentication" and Define "KBAttribute" in LDAP action. Purpose is to check if user has registered KBA in advance. 
		Next Factor if Success = Radius_Factor
			Login Schema = noschema_Radius	// Inherit the passcode from previous factor with "password expression". 
			Adv Authn Policy = Radius_Pol
				Rule = true 
				Action = Radius_Act	
				Next Factor if Success = LDAP_Factor
					Login Schema = noschema_LDAP	// Inherit the password from previous factor with "password expression". 
					Adv Authn Policy = LDAP_Pol
						Rule = true
						Action = LDAP_Act	// Normal LDAP action without KBAttribute. 
						Next Factor if Success = Check_for_KBA_Registration
							// Skip... same as before

 

Problem Cause

This is by current design. NetScaler AAA treats the factor to do KBA validation when the following conditions match: 

  • There is no schema bound to the Factor. 
  • LDAP action has "-KBAttribute" defined. 
Therefore, the KBA validation will be failed if KBA hasn't been registered. 

Additional Information

Self-service password reset
Powered by Wolken Software