Unable to use TLS/SSL LDAP Auth after ADM upgrade to latest build 13.0-71.40 – TLS Handshake fails with “Unknown CA”

Permanent fix provided in next build ADM 13.0-76.xx and above.

Workaround ::


Execute one of these commands in ADM CLI to overwrite Certificate attribute retrieval faulty code. Customers can keep the existing LDAP Settings, no need to change anything. External authentication should work correctly now over SSL/TLS Security.


LDAPTLS_REQCERT=never ldapsearch -D CN=[service_account],CN=users,DC=lab,DC=com -H ldaps://[ldap_ip]:636 -b DC=lab,DC=com -Z -A -o nettimeout=3 -w [passwd]


LDAPTLS_REQCERT=never ldapsearch -D CN=[service_account],CN=users,DC=lab,DC=com -H ldap://[ldap_ip]:389 -b DC=lab,DC=com -Z -A -o nettimeout=3 -w [passwd]

Customers can safely proceed and configure LDAP server with security type TLS/SSL. There wouldn’t be any impact.


  • No Related Posts

nFactor – Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on Citrix ADC

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

  1. 1st factor is configured for either Certificate or LDAP Authentication.

  2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

  3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor


Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

    User-added image

  3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

  4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

    User-added image

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation

Policies for this use-case

add lb vserver lb_ssl SSL 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avnadd authentication vserver avn SSL 443 -AuthenticationDomain aaatm.combind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXTbind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators.

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:

add authentication certAction ca -userNameField SubjectAltName:PrincipalName

add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP -ldapBase “cn=users,dc=aaatm,dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN

add authenticationpolicy ldap-new -rule true -action ldap-new

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. Add Factor, this will be the name of the nFactor Flow

4. No schema needs to be selected for this configuration as the Cert Authentication doesn’t require a login schema and if the Authentication falls back to LDAP, the default login page is used.

5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy

For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy

7. Select the LDAP_Policy and then Add

For more information on creating LDAP Authentication see,Configuring LDAP Authentication

8. Click on Done this will automatically save the configuration.

9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE:Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

  1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-Jul 30 21:08:50 <local0.debug> 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAA Message 437 0 : "NFactor: Cert Auth: certificate is absent, falling back nFactor login"Jul 30 21:08:50 <local0.debug> 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAATM Message 438 0 : "LoginSchema policyeval did not return an active policy"Jul 30 21:08:50 <local0.debug> 07/30/2015:21:08:50 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 : SPCBId 568 - ClientIP - ClientPort 54500 - VserverServiceIP - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 439 0 : "core 2: ns_get_username_password: loginschema gleaned is default "Jul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 440 0 : "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "Jul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 441 0 : "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "Jul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 442 0 : "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "Jul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 443 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"Jul 30 21:09:11 <local0.debug> 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 444 0 : "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "Jul 30 21:09:11 <local0.info> 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 : Extracted_groups "grp1,grp2,grp3,Group2,group1"
  1. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 07/30/2015:21:10:36 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 : SPCBId 596 - ClientIP - ClientPort 57227 - VserverServiceIP - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session ReuseJul 30 21:11:02 <local0.debug> 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 : SPCBId 578 - ClientIP - ClientPort 57226 - VserverServiceIP - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"Jul 30 21:11:02 <local0.debug> 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 : SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"Jul 30 21:11:02 <local0.debug> 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 : SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"Jul 30 21:11:02 <local0.debug> 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAA Message 542 0 : "NFactor: Successfully completed cert auth, nextfactor is "Jul 30 21:11:02 <local0.info> 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAATM LOGIN 543 0 : Context users@ - SessionId: 37- User users - Client_ip - Nat_ip "Mapped Ip" - Vserver - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"Jul 30 21:11:02 <local0.debug> 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLVPN Message 544 0 : "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "


How to Test LDAP Authentication Settings on NetScaler Gateway Running 11.1 Version

From 11.1 builds there is a new feature to Test the connection between Netscaler and backend LDAP server.

In LDAP server profile we have below button now “Test Connection” which generates the traffic from Netscaler to backend LDAP server and gives the information as shown below about the connection:

To navigate to LDAP Server Profile: NetScaler > Security > AAA – Application Traffic> Policies > Authentication > Basic Policies > LDAP > Servers

User-added image

This is helpful to confirm if there is any issue in connectivity between NetScaler and LDAP server configured.


AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) usecase

For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.

Example 1:

For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)