NetScaler Gateway 12 Native One Time Passwords (OTP)

Last Modified: Oct 9, 2017 @ 5:31 pm

Navigation

Overview

NetScaler 12 Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

Here are some notes:

  • NetScaler Native OTP is part of nFactor, and thus requires NetScaler Enterprise Edition or NetScaler Platinum Edition licensing.
    • Receiver currently does not support nFactor authentication. Thus only web browsers can authenticate using Native OTP.
  • nFactor requires a AAA vServer, which can be non-addressable – you don’t need any additional public IPs.
  • OTP stores device enrollment secrets in an Active Directory attribute that accepts Strings. Citrix’s documentation uses the userParameters Active Directory attribute.
    • The LDAP bind account must have permission to modify this attribute on every user.
  • Users can enroll multiple devices. There’s no way to prevent this.
  • The manageotp website is usually only protected by single factor authentication. Since users can add multiple devices, the manageotp website must be protected from external access.
  • Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).

Here are the OTP configuration objects:

  • Make sure NTP is configured on the NetScaler. Accurate time is required.
  • An LDAP Policy/Server with authentication disabled and OTP Secret configured. This one OTP-specific LDAP Policy/Server can be used for two scenarios:
    • manageotp device enrollment
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies that the entered passcode.
  • An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
    • Single-factor authentication to the manageotp authenticator/device enrollment website.
    • Two-factor authentication to NetScaler Gateway after a device has been enrolled.
  • A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
    • A single-factor Login Schema for manageotp.
    • A dual-factor Login Schema for NetScaler Gateway authentication.
  • An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

  1. Go to Security > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
  2. On the right, click Add.

    1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the manageotp website, and for dual-factor authentication to NetScaler Gateway. There are no special instructions for this LDAP Server.
  3. Create another LDAP Action.

    1. This one will be for OTP management so name it accordingly.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
    7. Click Create when done.
  4. Create another LDAP Action.
    1. This one will be for OTP verification so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
    2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
    4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
    5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
    7. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
    8. Click Create when done.
  5. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
  6. On the right, click Add.

    1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
    2. Change the Action Type to LDAP.
    3. Select your normal LDAP server, which is the one that has Authentication enabled.
    4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
    5. Click Create.
  7. Create another Authentication Policy.

    1. This policy is for OTP management so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the Manage OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
    4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
  8. Create another Authentication Policy.

    1. This policy is for OTP verification so name it accordingly.
    2. Change the Action Type to LDAP.
    3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
    4. Enter true in the Expression box, and click Create.

Login Schemas

  1. Go to Security > AAA – Application Traffic > Login Schema.
  2. On the right, switch to the Profiles tab, and click Add.

    1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
    2. Click the Edit icon.
    3. On the left, click the LoginSchema folder to open it.
    4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
    5. On the top right, click Select.
    6. Click Create.
  3. Add another Login Schema profile.

    1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
    2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
    3. Click More to reveal more options.
    4. Scroll down. In the Password Credential Index field, enter 1. This causes nFactor to save the user’s password into Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
    5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
    6. Click Create.
  4. On the right, switch to the Policies tab.
  5. Click Add to add a Login Schema policy.
    1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
    2. Name the Login Schema Policy for OTP management.
    3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters /manageotp, and if the user is on the internal network. You don’t want manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
    4. Click Create.
  6. Create another Login Schema Policy.

    1. In the Profile field, select the dual factor Login Schema.
    2. Name the Login Schema to indicate dual factor authentication.
    3. In the Rule box, enter true.
    4. Click Create.

Authentication PolicyLabel

  1. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
  2. On the right, click Add.
  3. This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
  4. In the Login Schema field, select LSCHEMA_INT, which means noschema.
  5. Click Continue.
  6. In the Policy Binding section, Click to select.
  7. Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
  8. Click Bind.
  9. Click Add Binding to add another one.
  10. Click to select.
  11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
  12. Click Bind.
  13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. Click Done.

AAA vServer

  1. Go to Security > AAA – Application Traffic.
  2. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
  3. Go to Security > AAA – Application Traffic > Virtual Servers.
  4. On the right, click Add.
  5. This AAA vServer is for OTP so name it accordingly.
  6. Change the IP Address Type to Non Addressable.
  7. Click OK.
  8. Click where it says No Server Certificate.
  9. Click to Select.
  10. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
  11. Click Bind.
  12. Click Continue.
  13. Click where it says No Authentication Policy.
  14. Click to select.
  15. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click Select.
  16. In the Select Next Factor field, Click to select.
  17. Click the radio button next to the OTP PolicyLabel, and click Select.
  18. Click Bind.
  19. In the Advanced Authentication Policies section, click Continue.
  20. On the right, in the Advanced Settings column, click Login Schemas.
  21. On the left, scroll down, and click where it says No Login Schema.
  22. Click to select.
  23. Click the radio button next to the Manage OTP Login Schema, and click Select.
  24. Click Bind.
  25. Click where it says 1 Login Schema.
  26. Click Add Binding.
  27. Click to select.
  28. Click the radio button next to the dual factor Login Schema, and click Select.
  29. Click Bind.
  30. Make sure the single factor Manage OTP Login Schema is higher in the list than the dual factor Login Schema. Click Close.
  31. On the right, in the Advanced Settings column, click Portal Themes.
  32. On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
  33. Click Done.

Traffic Policy for Single Sign-on

  1. On the left, go to NetScaler Gateway > Policies > Traffic.
  2. On the right, switch to the Traffic Profiles tab, and click Add.
  3. This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
  4. Scroll down.
  5. In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.
    http.REQ.USER.ATTRIBUTE(1)
  6. Click Create.
  7. On the right, switch to the Traffic Policies tab, and click Add.
  8. Click the blue link to Switch to Default Syntax.
  9. In the Request Profile field, select the Traffic Profile you just created.
  10. Name the Traffic Policy.
  11. In the Expression box, enter true.
  12. Click Create.

NetScaler Gateway and Authentication Profile

  1. Go to NetScaler Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
  3. Scroll down to the Policies section, and click the plus icon.
  4. Change the Choose Policy drop-down to Traffic, and click Continue.
  5. Click to select.
  6. Click the radio button next to the Traffic Policy you created earlier, and click Select.
  7. Click Bind.
  8. On the right, in the Advanced Settings column, click Authentication Profile.
  9. On the left, scroll down to the Authentication Profile section.
  10. Click the plus icon to create one.
  11. Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
  12. In the Authentication Virtual Server section, Click to select.
  13. Click the radio button next to the OTP AAA vServer, and click Select.
  14. Click Create.
  15. Scroll down again to the Authentication Profile section, and click OK.
  16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
  17. Go to System > Profiles.
  18. On the right, switch to the SSL Profile tab.
  19. Edit the ns_default_ssl_profile_frontend profile.
  20. Make sure HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

  1. In the NetScaler GUI, navigate to ConfigurationTraffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
  3. Append the following expression under the Expression area, and then click OK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

  1. Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
  2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
  3. Click Add Device.
  4. Enter a device name, and click Go.
  5. Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
  6. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
  7. Click Test.
  8. Enter the passcode shown in your Authenticator, and click Go.
  9. If you logoff of manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
  10. It should Single Sign-on into StoreFront.

CLI Commands

Here’s a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_confirm_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_confirm_no_auth

add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/16)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver Gateway.corp.com -portaltheme RfWebUI
bind vpn vserver Gateway.corp.com -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom

49 thoughts on “NetScaler Gateway 12 Native One Time Passwords (OTP)”

  1. Just one thing when testing native otp feature…
    Do not enable “nested group extraction” on your otp management LDAP Auth Server…. this will break writing the OTP Secret to the AD Attribute (e.g. userparameters).

  2. OK, so I believe I am 90-95% there. I believe NetScaler Gateway is “successfully” authenticating me against both sets of credentials (AD and Google Authenticator), but I get the “Cannot complete your request” error from StoreFront. What I see in the Event Logs on the StoreFront server is a “Citrix Authentication Service” event (ID 7) stating:

    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

    What follows shows is interesting. The “username” field is populated with the password, which appears to suggest the NetScaler has passed through the wrong value. What have I done wrong for this to be the case? I’ve been through this article twice, and there appears to be nothing that I have missed. Is there any other configurations I should know about (i.e. in StoreFront)? If I remove the OTP configuration from the NetScaler Gateway, I authenticate successful to NetScaler Gateway and StoreFront.

    Thanks

    Matt

    1. In the Login Schema Profile, there’s a Password Credential Index. That should be a unique number that you later use in the Traffic Policy. You can also configure a different attribute number for the User Credential Index.

      1. Ah, I found my issue. I put the “http.REQ.USER.ATTRIBUTE(1)” expression in the Traffic Profile into the SSO User Expression, not the SSO Password Expression. Great little “hack” though if you want to find out someone’s password via the Event Logs (only have LDAP available here, not LDAPS).

        Thanks Carl.

  3. Hi Carl,

    Just wondering if you know how to deal with multiple internal subnets for the Single Authentication Login Schema policy?

    Thanks,

    Matt

    1. Are you able to specify a summary route?

      Or, you can add multiple subnets inside a parentheses clause with || (OR) between them. This is standard Boolean expression.

  4. Suggestion for make it easier to the users to enroll their token. I would create a responder policy for the redirect to the substring “/manageotp”.

    1.) Create a new dns record which is pointing to the NetScaler Gateway VIP –> token.domain.com
    2.) Create a responder action and policy
    add responder action resp_act_manageotp redirect “\”https://gateway.corp.com/manageotp\”” -responseStatusCode 302
    add responder policy resp_pol_manageotp “HTTP.REQ.HOSTNAME.CONTAINS(\”token.domain.com\”)” resp_act_manageotp
    3.) Bind the responder policy to your Gateway.
    bind vpn vserver gateway.corp.com -policy resp_pol_manageotp -priority 100 -gotoPriorityExpression END -type REQUEST

    Cheers
    Julian

  5. Ignore my previous post – one typo derailed the entire thing.

    Another question though – Is there any way to scope this so that only the users that want to use nFactor are presented the additional dialog? Enabling this on a global scale would create a huge headache when my user base would attempt a login the following morning.

  6. Is LDAPS required for this by chance? I’m doing it in a lab environment for testing, and do not have LDAPS configured on the Netscaler here. All the images show LDAPS being used, just making sure I’m not missing something as I troubleshoot what I did wrong (can’t login with traffic policy and auth profile added to gateway vServer, but can with them off).

    Thanks,
    Matt

    1. Microsoft AD does not allow password changes unless LDAP is encrypted. Without encryption, passwords are transmitted in clear text.

  7. Hi Carl,
    great guide! it work fine in Web Interface but when i try with Citrix Receiver it not work (username, password or passcode incorrect)… i don’t find the differences in AAA config between Web or Receiver…

    any ideas?

  8. Hi Carl, let me know how to configure LDAP advanced policy to not challenge Receiver client users and just do LDAP as nFactor authentication is not working with Receiver. With 2 LDAP policies for manage & challenge OTP, I am not able to login using Receiver as the authentication fails.

  9. Carl,

    Step 3e under Login Schemas covers how to set the correct password index value but doesn’t mention that you need to check the “Enable Single Sign On Credentials” option if you intend to pass the credentials through to RDP Hosts (at a minimum – I haven’t yet tried other services). If you don’t check this box, attempting an RDP Proxy sessions will always result in a “Connection reset by peer” error message.

  10. Hi carl, i my case Device enrollment testing is done successfully, even i can see Userparameters Attribute is also showing enrollered device list.

    But when i try it using normal login. giving error” The server met an error. Please try again or contact your administrator.

    i am using 12.0 51.24 NC build.

      1. Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[413]: receive_ldap_user_search_event 0-37: User DN= <>
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-37: OTP Secret Attribute name: , length 15
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_common.c[595]: extract_ldap_attribute 0-37: retrieved UserParameters value #@Shahzad_MI=N5RM4WCYNYFE4JQU&, for shahzad
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-37: OTP Secret Attribute name: , length 15
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[497]: receive_ldap_user_search_event 0-37: extracted attribute, name: UserParameters, value: #@Shahzad_MI=N5RM4WCYNYFE4JQU&,
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-37: OTP Secret Attribute name: , length 15
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[514]: receive_ldap_user_search_event 0-37: For user shahzad, group stringLength 69
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[523]: receive_ldap_user_search_event 0-37: built group string for shahzad of:netscaler-admins
        magnamiousgroup
        ftp_users
        Xenmobile-IT
        rabale-group

        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[532]: receive_ldap_user_search_event 0-37: Authentication is disabled for user shahzad, finishing ldap authentication
        Sat Aug 26 14:35:28 2017
        /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/naaad.c[2969]: send_accept 0-37: sending accept to kernel for : shahzad

  11. Hi Carl,

    Thank you for a great post on this subject.

    One thing I came across during testing of this feature, is the fact that the userParameters attribute is readable to anyone with a user account in AD, no admin rights required. And the data is not encrypted before the Netscaler stores it in AD. As a test, i copied the content of the attribute and added it to a TOTP app – Worked directly.

    So if the solution will be used in an environment where security matters also internally, another attribute should be selected and a schema extension might be required. Or the Netscaler could encrypt the content before storing it in AD (Feature request…).

    Thanks

    1. Hi (again). This is a followup on my own post.

      The userParameters attribute is also used to store information about the “Remote Desktop Services Profile” on the user object. Netscaler overwrites any existing attribute value when storing the token secret, and that might render a user unable to log on to a Terminal Server.

      I assume you can experience either getting a temporary profile or not been able to log on at all if temporary profiles are disabled. But you might survive if the profile location is set with GPO (not tested by me yet).

      My conclusion is that you should stay away from the userParameters attribute unless the warnings in my two posts are not a problem for you.

      Thanks

  12. Thank you. it is very good article. I followed the steps on my lab and I was able to register my phone with Microsoft Auth and tested it just fine. the issue is that when I try to login to portal I get error” try again or contact your help desk”. also when looking at the appliance it self I see error ”
    [1245]: receive_ldap_user_search_event : ldap_first returned null, user not found
    [1245]: send_reject_with_code: Rejecting with error code 4009

    BTW, I have no group extraction setup and the user already exist in AD and I can see user parameter was created.

    Thank you in advance,

    Zack

  13. Hey Carl,
    When I am in /manageotp and click ‘Go’ to try to add a device, I’m not presented with the QRCode. Click Go does nothing. Thoughts?

      1. OK, So I have a service account that does all my LDAP on the NetScaler. I have explicitly delegated permissions to the Users OU for the Service Account that applies to ‘Descendant User Objects’. The only permission that I specified was Read and Write userParameters.

        If I change the service account used by the NetScalers/LDAP to my domain admin account, OTP registration works fine.

        Are there other permissions I’ve missed on the OU?

          1. I had this same issue where device enrollment worked as long as the OTP LDAP account was domain admin, but not as a service account. I resolved with the following:
            On the Users container I applied, delegate control>>>create a custom task to delegate>>>user objects>>>property-specific>>>Read Custom Attribute 14 and Write Custom Attribute 14.
            We already use userParameters, but anything that accepts strings appears to work.

    1. In China I can see the same thing as you mentioned-QRCode is not presented,as i know the QRCode
      image is get from the“”chart.googleapis.com”,because China can’t access google,so i can’t get QRCode.Hope this info can help you

  14. Hi,
    great Article, thank you Carl!

    I can register a Token but when I try to log on or test the device, I receive an error and via aaad.debug I can see “authentication is disabled for user…”.

    Temporary disabling the nextFactor helps to get logged on.

    Any Idea?
    Thanks!

  15. Amazing post Carl! I’m no longer surprised by your skills )))

    I created all items on my environment. User can add new device, but testing procedure returns error and no added device after logoff/logon. I checked AD and attribute field still . OTP LDAP action user has access to edit these attributes.
    Could you give some advice to check if there are some mistakes plz?

    Thank you!

  16. Hi Carl, Thanks a lot for this article. By the way, microsoft authenticator can be used as well.Click on plus sign -> other (Google,…).

  17. Hi Carl,

    I just keep getting “Failed to verify OTP from Sony Z5”. I have checked your article and JGSpiers’ article thoroughly and unable to find any hints what might be wrong.

    I’m doubting I have some issues in writing the attribute userParameters in to AD as the attribute stays empty after I try adding devices and after adding the device I’m seeing the following in aaad.debug:
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-212: OTP Secret Attribute name:
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_common.c[521]: extract_ldap_attribute 0-212: While retrieving ldap attributes userParameters attribute not found for kari.ruissalo
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-212: OTP Secret Attribute name: , length 15
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[494]: receive_ldap_user_search_event 0-212: Failed to extract attribute, name: userParameters,
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[1195]: get_otp_attribute 0-212: OTP Secret Attribute name: , length 15
    /home/build/rs_120_51_22_RTM/usr.src/netscaler/aaad/ldap_drv.c[514]: receive_ldap_user_search_event 0-212: For user kari.ruissalo, group stringLength 224

    I have added my LDAP user in to Domain Admins group, so it shouldn’t be the lack of permissions here?

    Any ideas?

        1. I went through the CLI commands and spotted two differences that are now fixed (SSL-profile on GW and then the trafficaction was misconfigured for userExpression instead of passwdExpression). However, changing these values didn’t do any good.

        2. I think my issue was the LDAP actions. After I recreated them I get a confirmation in the OTP Test that it works.

          My doubts are that the service account was defined using distinguishedName and now that I changed to userPrincipalName the problem vanished.

          Great article once again Carl, thank you for your efforts!

          1. Hi kari, I am also getting the same(failed to extract attribute name:userparameter) after configuring everything. can you assist me in detail how did you manage to resolve it.

  18. Great post Carl, as usual 🙂
    Incase of using a unified gateway, It may be valuable to mention that the content switching policy need to be updated to allow users to access the “https://mygateway.corp.com/manageotp” otherwise a HTTP1.1 error will be returned to users…

    Something like this should make it work:
    is_vpn_url || HTTP.REQ.URL.CONTAINS(“/manageotp”)

    Thank you once again for a great post 🙂

      1. Hi Carl,

        Thank you for a nice guide again.

        I have been tested in my lab. I got error when I tried to verify my pin code. I already checked it that everything on AD is fill in UserProperties field. When I added my phone in this filed appear some value. But when I tired to test it, I got error: “failed to verify OTP from telefon”. In previous step I just added my phone as “telefon”.

        Could please give me some advice where is my issue?

        PS: In Google Authenticator showed me my account as XXXXX@citrix.lastcomputers.com, which domain is wrong one. My lab is located in domain lastcomputers.com.

        Thank you!

        Antonio

        1. Hello Carl,

          I would you like to add in something here. I have tested and found this from ns.log:

          Sep 19 17:32:10 x.x.x.x 09/19/2017:14:32:10 GMT nsvpx12-01 0-PPE-0 : default AAA Message 35950 0 : “(0-222) send_authenticate_pdu_withconf: Sending Preamble”
          Sep 19 17:32:10 x.x.x.x 09/19/2017:14:32:10 GMT nsvpx12-01 0-PPE-0 : default AAA Message 35951 0 : “(0-222): sslvpn_manage_otp_handler: Reply Received, status from aaad: 2”
          Sep 19 17:32:10 x.x.x.x 09/19/2017:14:32:10 GMT nsvpx12-01 0-PPE-0 : default SSLVPN Message 35953 0 : “Failed to verify incoming OTP value 378195 for user: ………”

          Thank you for helping to find the issue.

          Regards,
          Antonio

          1. adding more info:

            root@# nsconmsg -g otp -d stats
            Displaying current counter value information
            NetScaler V20 Performance Data
            NetScaler NS12.0: Build 53.6.nc, Date: Aug 25 2017, 11:23:59

            reltime:mili second between two records Tue Sep 19 17:49:59 2017
            Index reltime counter-value symbol-name&device-no
            1 1178461 1 mem_tot_slotpages_allocated
            3 0 0 mem_tot_slotpages_freed
            5 0 0 mem_err_slotpages_allocfailed
            7 0 0 aaa_otp_tot_verify_success
            9 0 27 aaa_otp_tot_verify_fail
            11 0 47 aaa_otp_tot_manage_success
            13 0 1 aaa_otp_tot_manage_fail
            15 0 0 dns_totpipelined_request
            Done.

            I can enroll my phone successfully to my account, but verification is not working.

            Thank you!

Leave a Reply