nFactor – Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on Citrix ADC

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

  1. 1st factor is configured for either Certificate or LDAP Authentication.

  2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

  3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

    User-added image

  3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

  4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

    User-added image

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation


Policies for this use-case

add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avnadd authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain aaatm.combind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXTbind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators.

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:

add authentication certAction ca -userNameField SubjectAltName:PrincipalName

add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase “cn=users,dc=aaatm,dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN

add authenticationpolicy ldap-new -rule true -action ldap-new

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow


3. Add Factor, this will be the name of the nFactor Flow


4. No schema needs to be selected for this configuration as the Cert Authentication doesn’t require a login schema and if the Authentication falls back to LDAP, the default login page is used.


5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy


For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy


7. Select the LDAP_Policy and then Add


For more information on creating LDAP Authentication see,Configuring LDAP Authentication

8. Click on Done this will automatically save the configuration.

9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE:Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

  1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAA Message 437 0 : "NFactor: Cert Auth: certificate is absent, falling back nFactor login"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAATM Message 438 0 : "LoginSchema policyeval did not return an active policy"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 : SPCBId 568 - ClientIP 10.252.112.163 - ClientPort 54500 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 439 0 : "core 2: ns_get_username_password: loginschema gleaned is default "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 440 0 : "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 441 0 : "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 442 0 : "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 443 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 444 0 : "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "Jul 30 21:09:11 <local0.info> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 : Extracted_groups "grp1,grp2,grp3,Group2,group1"
  1. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 127.0.0.2 07/30/2015:21:10:36 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 : SPCBId 596 - ClientIP 10.217.28.185 - ClientPort 57227 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session ReuseJul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 : SPCBId 578 - ClientIP 10.217.28.185 - ClientPort 57226 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 : SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 : SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAA Message 542 0 : "NFactor: Successfully completed cert auth, nextfactor is "Jul 30 21:11:02 <local0.info> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAATM LOGIN 543 0 : Context users@10.217.28.185 - SessionId: 37- User users - Client_ip 10.217.28.185 - Nat_ip "Mapped Ip" - Vserver 10.217.28.167:443 - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLVPN Message 544 0 : "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "

Related:

How to Test LDAP Authentication Settings on NetScaler Gateway Running 11.1 Version

From 11.1 builds there is a new feature to Test the connection between Netscaler and backend LDAP server.

In LDAP server profile we have below button now “Test Connection” which generates the traffic from Netscaler to backend LDAP server and gives the information as shown below about the connection:

To navigate to LDAP Server Profile: NetScaler > Security > AAA – Application Traffic> Policies > Authentication > Basic Policies > LDAP > Servers

User-added image

This is helpful to confirm if there is any issue in connectivity between NetScaler and LDAP server configured.

Related:

AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) use-cases

  • For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.
  • For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF(“Finance”)

OR

AAA.USER.GROUPS.CONTAINS(“Finance”)

  • You should have the group “Finance” added to the ADC configuration, below are the steps to do it

CLI:

add aaa group Finance


GUI:

  • Citrix Gateway > User Administration > AAA Groups > ADD
  • Type the Group name and hit OK

Following are the expressions generally used to evaluate a user’s Group membership, and the above-mentioned requirement applies to all of them.

AAA.USER.IS_MEMBER_OF()

AAA.USER.GROUPS()

AAA.USER.IS_MEMBER_OF_ANY()

AAA.USER.IS_MEMBER_OF_ALL()

AAA.USER.INTERNAL_GROUPS()

AAA.USER.EXTERNAL_GROUPS()


Note: This requirement was always applicable for CVPN and Full VPN Use cases, starting the following versions this requirement is also applicable for ICA Proxy Use case

12.1.57.x

13.0.61.x

Related:

AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) usecase

For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.

Example 1:

For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF(“Finance”)

OR

AAA.USER.GROUPS.CONTAINS(“Finance”)

Related:

Backend SSL Connection Fails on ADC due to missing extensions

ADC missing renegotiate extension in Client Hello for backend server.

For example, when using Secure-LDAP which uses port 636 (TCPs) it fails in services/monitor. The reason for failure is SSL extension “renegotiation” is missing in client hello by ADC.

Client Hello missing renegotiate extension when it fails

without-renegotiate-ext

When SSL-renegotiate extension is present it appears as below

with-renegotiate-ext

Related:

  • No Related Posts

XenMobile Analyzer Tool

The new XenMobile Analyzer Tool is a cloud-based solution that allows XenMobile administrators to diagnose issues proactively and in real time. XenMobile Analyzer environmental checks can identify device issues, user enrollment issues, and authentication issues. Numerous use-cases and deployment options are supported including MDM, MDM + MAM, MAM-only and five different authentication scenarios on both iOS and Android mobile environments.

Citrix Cerebro functionality has now been integrated into XenMobile Analyzer!

Visit our YouTube channel for a demonstration of XenMobile Analyzer Tool. The XenMobile Analyzer Tool is currently available on the XenMobile Management Tools page .

Please note, XM Analyzer tool does not currently function in the Workspace. Citrix is aware of this issue and currently investigating.

Scheduling Periodic Health Check Using XenMobile Analyzer Tool

XenMobile Analyzer Tool now provides you with the facility to monitor your XenMobile environment periodically. You can choose the time and frequency of when the health check should run. During configuration you will have to provide an email address and this email will be used by the XenMobile Analyzer Tool to send notifications on the health check. The XenMobile Analyzer Tool runs health checks automatically at the scheduled intervals and sends you email notifications on the results of the health checks.

Adding a New Health Check Schedule

  1. After you have set up your test environment, select it from the list and click Add Schedule.

    User-added image

    Or, you can also do this when you are on the Report page of a completed test.

    User-added image

  2. Click I Agree button to enable XenMobile Analyzer to store the test user credentials securely and click Continue.

    User-added image

  3. Enter the user credentials used for testing and click Continue.

    User-added image

  4. Select whether you want the health check to run Daily or Weekly and pick a time to run the health check. Select your time zone from the drop-down list.

    Next, select a date for the health checks to stop running.

    Finally, in the Recipients text-box, enter the email addresses (separated by comma if more than one) to which notification alerts about the scheduled tests will be sent.

    Click Save.

    User-added image

  5. Your scheduled health check is created.

    User-added image

After you successfully schedule a health check, you will receive an email from xma_admin@citrix.com confirming that the schedule has been added. The health check will run at the scheduled time in XenMobile Analyzer Tool. And every time the scheduled health check runs, you will get the notification email on the status of the health check.

Editing a Health Check Schedule

  • At any time, you can select the test environment where you want to edit the schedule and click Edit Schedule to change any of the variables entered. You can also pause/resume the health check schedule at any time using the ON/OFF switch.

    User-added image

Supported Test Environments for Adding Health Check Schedule

You will be able to only schedule tests which use:

  • LDAP authentication
  • Certificate authentication
  • LDAP + Certificate based enrollment authentication

You will not be able to schedule tests which have the following type of enrollment:

  • Invitation URL – because the invitation URL will be redeemed after the first enrollment and cannot be reused for next time.
  • Two-factor authentication which uses Security Token – because the token will expire in a short period of time.
  • Username + PIN enrollment
  • Username + Password + PIN enrollment

Related:

XenMobile LDAP Settings: Bad Request

When attempting to configure an LDAP server in XenMobile, “Bad Request” is shown in the web console.

LDAP connection is attempted on port 389 (plain text).

Ping to the LDAP server is successful. Connection is successful.

XenMobile Debug Logs show the following:

2018-05-18T13:09:08.526+0000 | | INFO | http-nio-14443-exec-23 | com.citrix.cg.identity.ldap.LdapManager | Check Primary server ‘xxx‘ Connectivity

2018-05-18T13:09:08.738+0000 | | ERROR | http-nio-14443-exec-23 | com.citrix.cg.identity.ldap.LdapManager | User ‘xxx@xxx‘ bind failed with domain ‘XXX‘ Reason:[LDAP: error code 8 – 00002028: LdapErr: DSID-0C090256, comment: The server requires binds to turn on integrity checking if SSLTLS are not already active on the connection, data 0, v3839 ]

2018-05-18T13:09:08.739+0000 | | ERROR | http-nio-14443-exec-23 | com.citrix.cg.bo.GenericUserListMgr | Failed adding userlist. Domain Name:XXX.

com.citrix.cg.exception.BOException: Cannot connect. Try again

Related:

Citrix Gateway Native OTP not working with Citrix IOS Workspace Client

Nfactor support is planned for future releases of IOS Workspace. Meanwhile,by altering the configuration slightly on the AAA Vserver on Citrix Gateway i.e. for IOS Workspace clients – evaluate the passcode (OTP) first then followed by LDAP Credentials, we can solve this issue. Please follow the steps below from GUI.

Pre-Requisites:

1. Native OTP should be configured and working (i.e. Tested via Browser / Citrix Workspace for Windows / Citrix Workspace for Android)

https://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html

2. identify the AAA Vserver used for Native OTP

If you followed the above configuration example: this it would be “authvs”

3. Identify the policy for LDAP Auth – this is the one bound to the LDAP Action with Authentication Enabled (Note – Authentication is enabled by default)

If you followed the above configuration example: this it would be “auth_pol_ldap_logon”

4. Identify the ldap action for OTP Verify – this is the ldap action with Auth Disabled

If you followed the above configuration example: this it would be “ldap_otp_action”

5. Identify the Gateway Session policy and profile for Receivers ensure the plugin-type is set to “Java”

Configuration:

Section1: Create a policy for OTP Verification for IOS Workspace Clients (Factor1)

  • Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policies ==> ADD
  • Name: IOS_WORKSPACE_Factor1
  • Action Type: LDAP
  • Action: ldap_otp_action (as noted in
  • Expression: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“IOS”)
  • Click OK

Section2: Create a policy label for LDAP Credential Verification (Factor2)

  • Navigate to: Security ==>AAA – Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policy Labels ==> ADD
Name: Plabel_LDAP_AUTH
Schema: “LSCHEMA_INT”,
  • Click on Continue
  • In the policy binding section Click on “Click to Select” and from the list select the policy for LDAP Auth (in this case “auth_pol_ldap_logon”, as noted in #3 in prerequisites)
  • Click on Bind

Section3: Bind Factor1 with next Factor as Factor2 on AAA Vserver

  • Navigate to: Security ==> AAA – Application Traffic ==> Authentication Virtual Servers
  • Select the auth vserver (in this case “authvs”) and hit EDIT
  • Click on “Authentication Policy”, this will bring up the list of Authentication policies bound to the AAA Vserver, make a note of the lowest priority no
  • Click on ADD Binding
Click on the “Select Policy Section”, and from the list select the policy created in Section1 i.e. IOS_WORKSPACE_Factor1

Set Priority to a lower no than then lowest priority number noted above

Set Goto Expression to “END”

Click on the “Select Next Factor” option, and from the list select the policy label created in Section2 i.e. “Plabel_LDAP_AUTH”
  • Click Bind.
  • Close the AuthPolicy list and hit Done

Related: