Jump to content
Welcome to our new Citrix community!

nFactor & Client Auth

Mark Brilman

Recommended Posts

I'm playing around a bit with nFactor on a VPX-1000/Platinum. I'm stuck on client authentication but I don't know why.


I have issued a user cert with CN = myusername and UPN = myusername

It's a 2048bit SHA256 cert.

I have bound both the Root as Intermediate to my AAA vServer CA certs with OCSP optional (no SKIP CA).

Client authentication is enabled/optional

The cert with private key is in the user store.

Certificate authentication policy with Subject:CN or  UPN set to true, with ldap as next factor (working LDAP policy) and two factor off (or on, doesn't matter).


When logging in to the portal I get the certificate popup. I can select the certificate, but then it fails saying No active policy while trying to fallback from certificate failure.


In ns.log I see:


Nov  7 15:39:38 <local0.info> 11/07/2017:14:39:38 GMT NS 0-PPE-0 : default AAA Message 32357 0 :  "NFactor: Cert Auth: Invalid certificate presented"
Nov  7 15:39:38 <local0.info> 11/07/2017:14:39:38 GMT NS 0-PPE-0 : default AAA Message 32358 0 :  "NFactor: Cert Auth: Cert failed; No further action to continue"

The message seems pretty nice: invalid certificate. but the user I'm logging in with is identical to the user on the certificate (both Subject CN as UPN).


Who can help me figure this one out?


Link to comment
Share on other sites

Hi Mark,


I am hoping that you have them bound similarly:

bind authentication vserver name -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXT

bind authentication vserver name -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT


Link: https://support.citrix.com/article/CTX201730


If yes, then can you please share the following:

-What happens if no certificate is presented? (Meaning instead of invalid cert; no cert is found).

-NetScaler Version



  • Like 1
Link to comment
Share on other sites



Thanks for the quick reply, and good questions:

  • Version : NetScaler NS12.0: Build 53.13.nc, Date: Sep 22 2017, 09:11:54
  • Without cert I get (ofcourse no popup) and this error: 
    • Nov  8 08:01:39 <local0.info> 11/08/2017:07:01:39 GMT NS 0-PPE-0 : default AAA Message 34383 0 :  "NFactor: Cert Auth: Cert failed;  No further action to continue"
  • I did not bind them similarly. I bound LDAP as policy label on Next Factor of the certificate policy. When binding the policies similarly I do get a fallback to LDAP auth, but the certificate still isn't accepted:  Nov  8 08:32:49 <local0.info> 11/08/2017:07:32:49 GMT NS 0-PPE-0 : default AAA Message 34985 0 :  "NFactor: Cert Auth: Invalid certificate presented"

I attached some screenshots of my certificate, and the NetScaler CA bindings. Below the relevant config.


Relevant config:


bind authentication vserver VS_AAA_INT_1F -policy AUTHLSP_USERNAMEPW -priority 110 -gotoPriorityExpression NEXT (login schema)
bind authentication vserver VS_AAA_INT_1F -policy CERTPOL_SUBJECTCN -priority 100 -gotoPriorityExpression NEXT (cert policy)

bind authentication vserver VS_AAA_INT_1F -policy AAP_LDAPS_SAM -priority 110 -gotoPriorityExpression NEXT (ldap policy)


add authentication Policy CERTPOL_SUBJECTCN -rule true -action CERTPROF_SUBJECTCN
add authentication certAction CERTPROF_SUBJECTCN -userNameField Subject:CN

What am I messing up?





netscaler ca bindings.png

Link to comment
Share on other sites

I think it might be a bug in this particular NetScaler nFactor version.

I have implemented client auth many times before. Cert doesn't seem to work with basic authentication policies as well.


I also reduced my CA's to SHA256/2048 bit and enrolled a new user cert, but the error remains.

So no matter what I do with my client cert, NetScaler will not accept it.



Link to comment
Share on other sites

  • 1 month later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...