Weblogging client (NSWL) login unsuccessful with nsroot account

Authentication for NSWL happens in following order:

1. If credential corresponds to local system user,

a. If ‘externalAuth’ corresponding to that system user turned off then authentication happens locally.
b. Otherwise we do external authentication.

2. Otherwise user is authenticated by external authentication servers.[this is checked based on whether any ‘authentication policies’ are bound to ‘system global’

3.If external authentication servers are not reachable (or no external auth servers present), we fallback to local authentication.


  • No Related Posts

SAML Single Logout with ICA Proxy Mode on NetScaler

In ICA proxy mode, when user logs out from StoreFront the logout does not trigger on NetScaler Gateway or on the IDP. One of the following behaviors will be observed post logout.

1) If the page is refreshed or new tab is opened with NetScaler Gateway url in the same browser session or if “Continue where you left off’ option is enabled on Chrome browser, StoreFront homepage will appear again without any re-authentication.


2) Displays the following message: “Cannot log on using smart card Please close browser to protect your account”

StoreFront when FAS is used, by default prompts Displays the following message after logout: “Cannot log on using smart card” “Please close browser to protect your account

User-added image

There are a few ways to make this message go away but that does not solve the actual problem of the NetScaler Gateway and IDP sessions not getting logged out. From a security standpoint it is not recommended to go for such work-arounds.


Configuring Citrix ADC nFactor Feature – Check for Presence of User Certificate and Go Through LDAP else go Through LDAP+OTP

Use Case

Certificate authentication in first factor followed by LDAP in next factor else LDAP + OTP if user certificate is not presented/missing in the first factor.


This article describes following scenario:

  1. Administrator configures Certificate authentication in first factor.
  2. If user certificate is present, then do LDAP authentication in next factor.
  3. If user Certificate is not present, then go through LDAP + OTP.

The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor


Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.

It can be added as below:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> –userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Authentication Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When we bind an authentication policy to authentication vserver, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as below:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label.

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use case description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, it will be presented to the user as below.

  3. After user certificate is submitted, authentication proceeds to next factor. This factor is configured as LDAP.

  4. If User cert is not present in the first factor ,then proceed to LDAP +OTP.

    For this, we have 2 options:

    1. LDAP and OTP as separate login pages with user name prefilled from LDAP factor.

      The username value is prefilled using the expression ${http.req.user.name} which will extract the username from the first factor. Other fields such as labels for username and password can also be customized.

    2. Dual Authentication Page containing 2 password fields. Here’s the example used for this specific representation of logon form:

nFactor Flow Presentation

The setup can also be created through nfactor visualizer present in ADC version 13.0.

Configuration Through CLI

1. Add Authentication Vserver and bins the certificate

bind ssl vserver auth_vserver -certkeyName gateway.angiras.lab

2. Bind the root certificate to the Vserver and enable Client Auth

bind ssl vserver auth_vserver -certkeyName Root_Cert -CA -ocspCheck Optional

set ssl vserver auth_vserver -clientAuth ENABLED -clientCert Optional

3. Create a schema for the managing devices for OTP and bind it to AAA VIP

add authentication loginSchema lschema_manage_otp -authenticationSchema “/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml”

bind authentication vserver auth_vserver -policy manage_otp_schema -priority 100 -gotoPriorityExpression END

4. Create Authentication Action and Policies as below:

a. LDAP Authentication:

add authentication ldapAction LDAP_Action -serverIP XX.XX.XX.XX -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 97526a31c6e2e380f7b3a7e5aa53dc498c5b25e9b84e856b438b1c61624b5aad -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn

add authentication Policy LDAP_Pol -rule true -action LDAP_Action

b. Device Management:

add authentication ldapAction OTP_manage_Act -serverIP XX.XX.XX.XX -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 3e10c1df11a9cab239cff2c9305743da76068600a0c4359603abde04f28676ae -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters

add authentication Policy manage_OTP -rule TRUE -action OTP_manage_Act

c. OTP Validation:

add authentication ldapAction LDAP_OTP_Act -serverIP XX.XX.XX.XX -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword e79a8ebf93fdb7e7438f44c076350c6ec9ad1269ef0528d55640c7c86d3490dc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “userParameters>=#@” -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters

add authentication Policy OTP_Pol -rule true -action LDAP_OTP_Act

d. Certificate Authentication:

add authentication certAction Certificate_Profile -twoFactor ON -userNameField SubjectAltName:PrincipalName

add authentication Policy Cert_Pol -rule true -action Certificate_Profile

e. Policy without authentication for dual auth when Certificate Auth fails or certificate doesn’t exist

add authentication Policy Cert_Pol_NOAUTH_ -rule true -action NO_AUTHN

5. Create Policy Label and schema for the second factor as below:

a. Device Management:

add authentication policylabel manage_otp_label -loginSchema LSCHEMA_INT

bind authentication policylabel manage_otp_label -policyName manage_OTP -priority 100 -gotoPriorityExpression END

b. LDAP Authentication after successful certificate authentication

add authentication loginSchema lschema_LDAP_Only -authenticationSchema “/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml”

add authentication policylabel LDAP_Only -loginSchema lschema_LDAP_Only

bind authentication policylabel LDAP_Only -policyName LDAP_Pol -priority 100 -gotoPriorityExpression END

c. Dual Auth when Certification is not present or cert authentication fails

add authentication loginSchema lschema_dual_auth -authenticationSchema “/nsconfig/loginschema/LoginSchema/DualAuth.xml”

add authentication policylabel Dual_Auth_Label -loginSchema lschema_dual_auth

bind authentication policylabel Dual_Auth_Label -policyName LDAP_Pol -priority 100 -gotoPriorityExpression END

bind authentication policylabel Dual_Auth_Label -policyName OTP_Pol -priority 110 -gotoPriorityExpression END

6. Bind the policies created in steps above to AAA VIP

bind authentication vserver auth_vserver -policy Manage_OTP_Pol -priority 100 -nextFactor manage_otp_label -gotoPriorityExpression NEXT

bind authentication vserver auth_vserver -policy Cert_Pol -priority 110 -nextFactor LDAP_Only -gotoPriorityExpression NEXT

bind authentication vserver auth_vserver -policy Cert_Pol_NOAUTH_ -priority 120 -nextFactor Dual_Auth_Label -gotoPriorityExpression NEXT

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. Add Factor, this will be the name of the nFactor Flow

4. No Schema is needed in the first factor as we will be binding policies that do not need a schema

5. Click on Add Policy to add Policy

6. Add a policy for Registration Check. Action in this case would be NO_AUTHN.

7. Type in Expression Field HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) and click on Create

8. Click on Add to add the Policy created above to manage user devices

9. Click on green plus sign to add the next factor for LDAP authentication prior to managing the devices

10. Select Create Factor and type in a name for this factor and click on Create

11. Click on Add Schema and then Add to create a schema to manage devices

12. Chose the schema created above and click on Add to bind it

13. Click on Add Policy and select LDAP Authentication Policy for initial LDAP Auth

For more information on creating LDAP Authentication, seeConfiguring LDAP Authentication

14. Following steps 9 and 10 Create another factor to register the device

15. No schema is needed in this factor. Click on Add Policy to add the Policy for device registration. (Policy created in CLI Configuration step 4 point b)

16. Create another factor following step 9 and 10 to Test the registered devices

17. Click on Add Policy to add Authentication Policy (Policy created in CLI Configuration step 4 point c)

18. Click on blue plus sign below Registration Policy to add a Policy for Certificate Authentication

19. Click on Add to Add the Cert Policy

For more information on Client Certificate Authentication, see article CTX205823

20. Click on green sign next to the Cert Policy to create next factor for LDAP Authentication

21. Click on Add Schema to Add the login schema for prefilled username single authentication

22. Chose the Schema created and click on OK

23. Click on Add Policy and Add LDAP Authentication

24. Click on the red plus sign next to Certificate Policy to add next factor for, when the Certificate Authentication fails or there is no Certificate on the device

25. Select Create Factor and type a Factor Name

26. Click on Add Schema to add a Dual Authentication Schema

27. Choose the Schema created above and click on OK

28. Click on Add Policy and add LDAP Authentication

29. Click on blue sign below the LDAP Authentication Policy to add a Policy to validate OTP

30. Select the Authentication Policy to validate OTP and click on OK (Authentication Policy created in CLI Configuration step 4 point c)

31. Click on Done this will automatically save the configuration.

32. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE: Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind


How to Configure Post-Authentication EPA Scan as a Factor in NetScaler nFactor Authentication

The following graph shows mapping of policies and policy label. We will use this approach for configuring, but from right to left.

User-added image

Complete the following steps from NetScaler CLI:

  1. Create an action to perform EPA scan and associate it with an EPA scan policy.

    add authentication epaAction EPA-client-scan -csecexpr “sys.client_expr(“app_0_MAC-BROWSER_1001_VERSION_<=_10.0.3”)||sys.client_expr(“os_0_win7_sp_1″)”

    Just as an example, the above expression scans if MAC OS users have browser version less than 10.0.3 or if Windows 7 users have Service pack 1 installed.

    add authentication Policy EPA-check -rule true -action EPA-client-scan

  2. Configure Policy label post-ldap-epa-scan, which will host the policy for EPA scan.

    add authentication policylabel post-ldap-epa-scan -loginSchema LSCHEMA_INT

    Note: LSCHEMA_INT is inbuilt schema with no schema (noschema), meaning no additional webpage is presented to user at this step.

  3. Associate policy configured in step 1 with policy label configured in step 2.

    bind authentication policylabel post-ldap-epa-scan -policyName EPA-check – priority 100 -gotoPriorityExpression END

    Here END indicates end of authentication mechanism.

  4. Configure ldap-auth policy to and associate it with a LDAP policy which is configured to authenticate with a particular LDAP server.

    add authentication Policy ldap-auth -rule true -action ldap_server1

    ldap_server1 is LDAP policy and ldap-auth is policy name

  5. Bringing it all together, associate ldap-auth policy to AAA vserver with next step pointing to policy label post-ldap-epa-scan to perform EPA scan

    bind authentication vserver MFA_AAA_vserver -policy ldap-auth -priority 100 – nextFactor post-ldap-epa-scan -gotoPriorityExpression NEXT

Note: Pre-authentication EPA scan is always performed as the first step in nfactor authentication and post- authentication EPA scan is always performed as the last step in nfactor authentication. EPA scans cannot be performed in between a nfactor authentication.

The above configuration can also be performed using nFactor Visualizer, which is a feature available on firmware 13.0 onward, below is the same config using the nFactor Visualizer,

Nfactor flow representation using the nFactor Visualizer:

Configuration through Visualizer:

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. After adding the schema, click on Add Policy, to add the LDAP policy, in case the LDAP policy is created the same can be selected from the drop down list, if not then create a new LDAP policy by clicking on “Add” as highlighted below.

In the action tab select the LDAP server, in case the LDAP server is not added then please follow this KB article to add an LDAP server on the ADC (https://support.citrix.com/article/CTX123782)

6. Click on the + sign to add the EPA factor,

7. Leave the Add Schema section blank, to have the default no schema applied for this factor, click on Add policy to add the post auth EPA policy and action,

EPA Action:

EPA Policy:

Click Create once done.

8. Once the nFactor flow is complete, bind this flow to the AAA Vserver.


User-added image