Jump to content
Welcome to our new Citrix community!

NetScaler 12 OTP fails

Jens Ostkamp

Recommended Posts

Hey :)


I have recently set up the OTP feature within a customers environment. I followed this guide by Carl Stalhood:



So, the initial Setup worked pretty well, we have used a fresh test user and everything went fine. 


Users can log in through their manageotp -> set up their devices -> test OTP -> log in with the otp.


Now, when we tried it with a regular user, the OTP verification fails. It would basically look like this: User can log in through manageotp. User can add their device (QR Code shown), as soon as the user tries to verify/test the OTP, NetScaler throws an error. The device then is automatically deleted again (when trying to login into manageotp again). 

I verified, that NetScaler is able to write the Seed into AD Attribute, retrieves the Seed but then somehow it just breaks down. 


So I started to check other possibilites and recognized that the usual User of my client is a member of ~100 AD Groups. After doing some testing i could verify, as soon as your user is in more than 36 groups, the failing behaviour is shown. Everything to 36 works fine. Whenever you add a 37rd group, OTP Verification fails. It doesnt matter what group it is, it doesnt matter what user it is. We tested it with a fresh user and added him to one group after another, we tested it with a duplicate of a regular user and removed one group after another. The breaking point seems the 36/37 groups. Anyone ever encountered similar thigns? I know that there are issues with many AD Groups and NetScaler somehow getting a timeout if one user is in too many groups, but from what i have researched so far, the limitations shouldnt be like 36 groups. 


OTP is used for MFA with LDAP for NetScaler Gateway to StoreFront


Thank you very much in advance

Link to comment
Share on other sites

I have the official statement of the support technician, that this is a known bug/issue which is being worked upon. There is a possible solution to this which I was unable to test yet: removing the "Group Attributes" field within the LDAP Actions. However, this is not possible as NetScaler will automatically re-fill the Group Attribute to memberOf, regardless of the change you make to this field (probably another bug). So you basically will have to enter some dummy group attribute to get rid of the MemberOf attribute. If someone has the same issue currently and is able to test this, please let me know as i am currently not able to do this kind of test. 

But basically the problem persists: it is a known bug and it's being worked upon, so there is probably no way at the moment, to work around this, especially if you need the Group Attribute "memberOf" for further configuration/authorization requirements.

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...