5 Replies to “NetScaler Gateway Password Expiry Warning with nFactor”

  1. Manuel, an excellent example!
    I want to use the field from AD “Pager” as the 2 factor (additional password), and the value “pager” can be seen http.req.user. Attribute (1), but compare it to the Passwd1 field.
    I want to implement the following verification mechanism
    Username = LDAP (samaccountnname) -ok
    passwd = LDAP (password) -ok
    PASSWD1 = LDAP (pager)????
    I’d be happy to help
    Igor.

    Like

    1. Sorry for the late reply!

      Interesting approach. I guess the challange is to actually make NetScaler compare the two values.

      You might be able to create something like:
      1st Factor: Ask for all three values, but make sure that the 3rd value is a custom field (see Citrix’s domain dropdown example) – Apply LDAP policy and retrieve ATTRIBUTE(1)
      2nd Factor: NO_SCHEMA, NO_AUTH policy with a “if ATTRIB(1) = FIELD passed from 1st factor” rule applied.

      This would then only successfully authenticate the second stage if both values match.

      But that would produce a bad error message for users who put a wrong pager value: “no policy applied”. You could conquer this by creating a third factor just for them with a dummy “wrong pager” message similar to my “password expired” warning above. Plus eventually a fourth factor that actually redirects them to the logout somehow finally.

      Hope that makes sense – to unleash the full potential of nFactor you definitly need to bend your head sometimes :-)

      Like

  2. Great article. Been searching for this solution for months !

    Do you know if it’s possible to set one of the nfactor loginschemas to allow the user to change the password?

    Creating the loginschemas I guess is no issue, but is it possible to create the expression to allow the Netscaler to update LDAP with users password change?

    Thanks
    Kal

    Like

    1. Hi Kal,

      in fact I was thinking about that as well for a while – nothing straight forward came to my mind.
      Two things came to my mind which I haven’t tried yet though:
      – Investigate what’s the exact URL that NetScaler uses for expired passwords and add a second button like “change now” which links to that URL – not sure whether NS even accepts direct calls of these pages though
      – Set a cookie in nFactor (via JS in the schema or via Rewrite somehow) – and then apply a session policy that forwards you to StoreFronts password change facility /Citrix/StoreWeb/whatever/the/passwordchange/path/is

      Again, just thoughts, never tried any of those yet.
      Let me know if you do!

      Manuel

      Like

  3. Hi Kal,

    I have configured nFactor authentication for NS GW to implement native OTP. User name upfront to check group membership and present next factor based on group membership. 2nd factor is password only or password & OTP.

    After implementing this, users are not able to change password when password is expired or they are notified when password is about to expire.

    Could you help me how can I set password expiry notice or password change in this scenario?

    Thanks.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.