9 Replies to “NetScaler Gateway Password Expiry Warning with nFactor”

  1. Manuel, an excellent example!
    I want to use the field from AD “Pager” as the 2 factor (additional password), and the value “pager” can be seen http.req.user. Attribute (1), but compare it to the Passwd1 field.
    I want to implement the following verification mechanism
    Username = LDAP (samaccountnname) -ok
    passwd = LDAP (password) -ok
    PASSWD1 = LDAP (pager)????
    I’d be happy to help


    1. Sorry for the late reply!

      Interesting approach. I guess the challange is to actually make NetScaler compare the two values.

      You might be able to create something like:
      1st Factor: Ask for all three values, but make sure that the 3rd value is a custom field (see Citrix’s domain dropdown example) – Apply LDAP policy and retrieve ATTRIBUTE(1)
      2nd Factor: NO_SCHEMA, NO_AUTH policy with a “if ATTRIB(1) = FIELD passed from 1st factor” rule applied.

      This would then only successfully authenticate the second stage if both values match.

      But that would produce a bad error message for users who put a wrong pager value: “no policy applied”. You could conquer this by creating a third factor just for them with a dummy “wrong pager” message similar to my “password expired” warning above. Plus eventually a fourth factor that actually redirects them to the logout somehow finally.

      Hope that makes sense – to unleash the full potential of nFactor you definitly need to bend your head sometimes :-)


  2. Great article. Been searching for this solution for months !

    Do you know if it’s possible to set one of the nfactor loginschemas to allow the user to change the password?

    Creating the loginschemas I guess is no issue, but is it possible to create the expression to allow the Netscaler to update LDAP with users password change?



    1. Hi Kal,

      in fact I was thinking about that as well for a while – nothing straight forward came to my mind.
      Two things came to my mind which I haven’t tried yet though:
      – Investigate what’s the exact URL that NetScaler uses for expired passwords and add a second button like “change now” which links to that URL – not sure whether NS even accepts direct calls of these pages though
      – Set a cookie in nFactor (via JS in the schema or via Rewrite somehow) – and then apply a session policy that forwards you to StoreFronts password change facility /Citrix/StoreWeb/whatever/the/passwordchange/path/is

      Again, just thoughts, never tried any of those yet.
      Let me know if you do!



  3. Hi Kal,

    I have configured nFactor authentication for NS GW to implement native OTP. User name upfront to check group membership and present next factor based on group membership. 2nd factor is password only or password & OTP.

    After implementing this, users are not able to change password when password is expired or they are notified when password is about to expire.

    Could you help me how can I set password expiry notice or password change in this scenario?



  4. Thanks for the great article. I am seeing an issue when a password doesn’t meet the requirements in the expression, it doesn’t send them to Storefront and displays the “No active policy during authentication”. If it is within the expiration it displays the Expiry Message and allows the user to hit continue and passes through to Storefront just fine. Did I miss something?

    If you could point me in the right direction that would be great. Thanks!


    1. Hi neztik, did you ever find a solution to this error message “No active policy during Authentication” ?
      Our users see this after they have changed their password when the “Change password at next logon” is checked on the users AD account.


  5. I do recall some NS versions after I wrote this article having problems with Factors that contain only NO_AUTHN and NOSCHEMA throwing that exact same message – so that might be the problem.

    But furthermore, did peek at the latest 12.1 release notes?
    [# 703474] Support for 14-day password expiry notification for LDAP based authentication
    I’m not sure if this applies to NetScaler Gateway as well but if you use a AAA vServer for your NGW authentication I’m sure it will!
    I haven’t tried that one out myself yet so please let me know if that works for you!
    (Plus I should definitly include a note on that in the top of the article)


  6. Thank you for this great article. Do you know if it is possible to use this in combination with Azure MFA? i am thinking somehow 1st LDAP auth, 2nd RADIUS auth and 3th password expiry warning.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: