Jump to content
Welcome to our new Citrix community!

Netscaler Web Authentication Problem


Cristian Riveros

Recommended Posts

I am configuring as the first authentication factor Web Authentication, I can create the profiles without problems and assign them to the VS.

but when I try to perform the validation I find the following:

 

  • the logon page gives me an error "try again"
  • in the aaa.debug log I only see the following: Delegating web auth to kernel for: XXXXX and then nothing, I do not have a line of error or rejection in the log
  • When I make a package capture in the netscaler I see the following traffic:

       

  1. NS->AUTH_WEB_SERVER : SYN
  2. AUTH_WEB_SERVER -> NS : SYN-ACK
  3. NS->AUTH_WEB_SERVER:FIN-ACK
  4. AUTH_WEB_SERVER -> NS : ACK
  5. AUTH_WEB_SERVER -> NS:FIN-ACK
  6. NS->AUTH_WEB_SERVER:ACK

 

i follow examples like : https://netscalerrocks.com/netscaler/security/basic-web-authentication-setup/ and https://www.citrix.com/blogs/2015/06/05/netscaler-web-based-authentication/

 

 

i run version NS12.1 49.23

 

 

regards!!!!!!

 

 

Link to comment
Share on other sites

Hi,

 

when you've taken a capture - and there obviously is a handshake taking place - you haven't seen any actual HTTP(S) data being transferred in between the SYN and FINs?

Just a few ideas - but its very hard to troubleshoot this offline:

  • If it's HTTPS you might have missed to set the "HTTPS" scheme.
  • If it's HTTPS you see some errors in the SSL handshake?
  • If you actually see HTTP data being sent, any clues in there?
  • NetScaler frequently "pings" the WEBAUTH server - afaik with a SYN-ACK only - so it might be this ping that you have seen and not your actual authentication! The actual authentication should come with HTTP(s) data
Link to comment
Share on other sites

9 hours ago, Manuel Kolloff1709158181 said:

Hi,

 

when you've taken a capture - and there obviously is a handshake taking place - you haven't seen any actual HTTP(S) data being transferred in between the SYN and FINs?

Just a few ideas - but its very hard to troubleshoot this offline:

  • If it's HTTPS you might have missed to set the "HTTPS" scheme.
  • If it's HTTPS you see some errors in the SSL handshake?
  • If you actually see HTTP data being sent, any clues in there?
  • NetScaler frequently "pings" the WEBAUTH server - afaik with a SYN-ACK only - so it might be this ping that you have seen and not your actual authentication! The actual authentication should come with HTTP(s) data

 

 

HI Manuel :

 

  • If it's HTTPS you might have missed to set the "HTTPS" scheme.
    • is OK the HTTPS Scheme
  • If it's HTTPS you see some errors in the SSL handshake?
    • i dont see any SSL handshake
  • If you actually see HTTP data being sent, any clues in there?
    • i dont see anu data
  • NetScaler frequently "pings" the WEBAUTH server - afaik with a SYN-ACK only - so it might be this ping that you have seen and not your actual authentication! The actual authentication should come with HTTP(s) data
    • you are right is monitoring.

 

i don't see any data come out the NS to my web authentication server

 

any clue ?

Link to comment
Share on other sites

Not really, sorry.

 

Imho it looks like its not even triggering then.

Only idea I could imagine is, that there's some sort of error with your expressions that prevents it from executing because NS runs in an error before it can actually reach out to the webserver.

To rule that out you could probably replace the expressions in your webauth policy with something simple like Request: "Hello" Response: "Im there" ...without the fancy "HTTP.REQ.whatever" parts

...and then run another trace to see if there is communication now - then you'll know where to look.

 

 

And...just to ask the obvious because NetScalers policy framework can be confusing to newcomer sometimes - no offence :-)

You do have the auth-policy set to "true" only and bound to the correct AAA or Gateway vServer, right?

Link to comment
Share on other sites

hi Manuel 

 

 

yes the auth-policy have "true"  but....

 

I already managed to communicate with the web authentication server, the problem now seems to be the HTTP Request Expression:
I used:
"GET / mga / sps / authsvc? PolicyId = urn: ibm: security: authentication: asf: clientRequestMMFA & amp;
username = "user name" HTTP / 1.1
Host: X.X.X.X
cache-control: no-cache
Accept-Encoding: identity
transfer-encoding: chunked "

when I use it in this way there is no problem, but the authentication server is not able to process the "& amp", if I remove it, netscaler does not send anything to the server.

 

 

Link to comment
Share on other sites

  • 2 years later...
On 12/17/2018 at 7:57 PM, Cristian Riveros said:

I already managed to communicate with the web authentication server, the problem now seems to be the HTTP Request Expression:

 

Hi Cristian, how were you able to circle around the issue? We're seeing similar behaviour on 13.0-82.42.

On the &amp -issue, I would try use base64 encoded format rather than trying to push special characters in to the request (for example by leveraging https://www.base64decode.org/).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...