Jump to content
Welcome to our new Citrix community!

Citrix Netscaler Gateway v12.1 Native OTP / Factor Configuration


Recommended Posts

https://www.youtube.com/watch?v=JSR9MTwpn3Y

 

This video describes how to configure Native OTP with a Netscaler version 12.1 but we're not able to get authentication working when we're at the logon prompt.

 

We've followed the steps as best we could and think we got them 100% right but something's preventing us from having users be able to authenticate.

 

Here's some pseudo code on our process:

 

1. Configuration, Security, AAA - Application Traffic, Virtual Servers, Add, Name: authvs, IP address Type: Non Addressable, OK, Certificate, No Certificate, Server Certificate Binding (Select Server Certificate) Click to select >, Check SSL (anyone), Select, Bind, Close, Continue, Continue, + Portal Themes (on right side), Portal Theme (Select RfWebUI), OK, Done
2. Configuration, Security, AAA - Application Traffic, Authentication Profile, Add, Name: otp_auth_vs, Authentication Host: otp.mycorp.com, Authentication Virtual Server (Click to select) >, Check authvs, Select, Create
3. Configuration, Citrix Gateway / Netscaler Gateway, Virtual Servers, Edit exiting virtual server, + Authentication Profile (on right side), select otp_auth_vs, OK, Done
4. Configuration, Security, AAA - Application Traffic, Policies, Authentication, Advanced Polices, Policy, Add, Name: ldap_auth, Action Type: LDAP, Action, Add, Create Authentication LDAP Server, Name: ldap_auth, Server IP, IP address:  192.168.1.10, Security Type: PLAINTEXT, Port: 389, Server Type: AD, Base DN: dc=mycorp,dc=com, Administrator Bind DN: administrator@mycorp.com, Administrator Password: Password987, Confirm Password: Password987, Press “Test LDAP Reachability”, Server Logon Name Attribute: sAMAccountName, Create, Expression: true, Create
5. CConfiguration, Security, AAA - Application Traffic, Policies, Authentication, Advanced Polices, Policy, Add, Name: otp_validation, Action Type: LDAP, Action, Add, Create Authentication LDAP Server, Name: ldap_auth, Server IP, IP address:  192.168.1.10, Security Type: PLAINTEXT, Port: 389, Server Type: AD, Un-Check: Authentication, Base DN: dc=mycorp,dc=com, Administrator Bind DN: administrator@mycorp.com, Administrator Password: Password987, Confirm Password: Password987, Press “Test LDAP Reachability”, Server Logon Name Attribute: sAMAccountName, OTP: Secret: userParameters, Create, Expression: true, Create
6. Configuration, Security, Login Schema, Add, Name: otp_login, Profile: Add, Create Authentication Login Schema, Name: otp_dualauth, Authentication Schema: Click Pencil icon, Double Click LoginSchema Folder to expand list, Select: DualAuthOrOTPRegisterDynamic.xml, Create, Rule: true, Create
7. Configuration, Security, Login Schema, Add, Name: otp_management, Profile: Add, Create Authentication Login Schema, Name: otp_management, Authentication Schema: Click Pencil icon, Double Click LoginSchema Folder to expand list, Select: SingleAuthManageOTP.xml, Create, Rule: http.REQ.COOKIE.VALUE("NSC_TASS").eq("manageotp"), Create
8. Configuration, Security, AAA - Application Traffic, Virtual Servers, Edit authvs, Advanced Authentication Policies, Click No Authentication Policy,  Policy Binding, Select Policy Binding >, Check ldap_auth, Select, Select Next Factor, Click to select >, Add, Name: otp_factor, Continue, Policy Binding, Select Policy, Click to select >, Check otp_validation, Select, Bind, Done, Check otp_factor, Select, Bind
9. Configuration, Security, AAA - Application Traffic, Virtual Servers, Edit authvs, + Login Schema (on right side), Login Schemas, Click No Login Schema, Policy Binding, Select Policy, Click to select >, Check otp_management, Select, Bind,  Login Schemas, Click 1 Login Schema, Authentication Login Schema Policy, Add Binding, Policy Binding, Select Policy, Click to select >, check otp_login, Select, Bind, Close, Done

 

 

 

DEBUG INFO:

root@ns# cat aaad.debug
Sun Apr 28 15:35:19 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[695]: main 0-0: timer 2 firing...
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[900]: process_kernel_socket 0-52: partition id is 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1108]: process_kernel_socket 0-52: ns_aaad_decrypt_auth not done
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1143]: process_kernel_socket 0-52: call to authenticate
user :tom, vsid :10975, userlen 3
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1196]: process_kernel_socket 0-52: call to authenticate
user :tom, vsid :10975, req_flags 2
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5019]: start_cascade_auth 0-52: starting cascade authentication
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5132]: cascade_auth 0-52: starting ldap auth for: tom, sizeof(*ar) is 28, userlen 4
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[117]: start_ldap_auth 0-52: Starting LDAP auth
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[141]: start_ldap_auth 0-52: attempting to do ldap auth for tom @ 192.168.1.10
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[143]: start_ldap_auth 0-52: LDAP referrals are OFF
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[144]: start_ldap_auth 0-52: LDAP referral nesting depth 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[913]: continue_ldap_init 0-52: Connecting to: 192.168.1.10:389
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[919]: continue_ldap_init 0-52: User tom Connecting to: 192.168.1.10:389
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-52: setting timer 25
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-52: releasing timer 25
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[993]: ns_ldap_set_up_socket 0-52: Server certificate hostname = NULL
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1040]: ns_ldap_set_up_socket 0-52: Set cert verify level 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1043]: ns_ldap_set_up_socket 0-52: Getting cipher suite global value
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1046]: ns_ldap_set_up_socket 0-52: Checking non-zero cipher suite
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1056]: ns_ldap_set_up_socket 0-52: NULL cipher suite.  Using default.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1062]: ns_ldap_set_up_socket 0-52: Freeing cipher suite value
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1069]: ns_ldap_set_up_socket 0-52: Done with cipher suite
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1142]: ns_ldap_set_up_socket 0-52: Sectype: 1
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1147]: ns_ldap_set_up_socket 0-52: Successfully established connection to NULL
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-52: setting timer 26
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[197]: receive_ldap_bind_event 0-52: receive ldap bind event

Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[492]: ns_ldap_check_result 0-52: ldap_result found expected result LDAP_RES_BIND
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[209]: receive_ldap_bind_event 0-52: Bind OK
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-52: releasing timer 26
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[278]: receive_ldap_bind_event 0-52: Original slen: 3
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[302]: receive_ldap_bind_event 0-52: User name: dirty = <tom> sanitized = <tom>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[304]: receive_ldap_bind_event 0-52: Admin bind successful, attempting user search event for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-52: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1323]: ns_ldap_search 0-52: Searching for <<(| (objectClass=domainDNS) (& (sAMAccountName=tom) (objectClass=*)))>> from base <<dc=MYCORP,dc=com>>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-52: setting timer 27
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1347]: ns_ldap_search 0-52: Sent user search query.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-52: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-52: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-52: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-52: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-52: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-52: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[492]: ns_ldap_check_result 0-52: ldap_result found expected result LDAP_RES_SEARCH_RESULT
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[414]: receive_ldap_user_search_event 0-52: received LDAP_OK
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-52: releasing timer 27
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[444]: receive_ldap_user_search_event 0-52: Binding user... 2 entries
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[445]: receive_ldap_user_search_event 0-52: Admin authentication(Bind) succeeded, now attempting to search the user tom 
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[448]: receive_ldap_user_search_event 0-52: Number of entires in LDAP server response = 2
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[462]: receive_ldap_user_search_event 0-52: [0]: Object = 0x804a0ddc0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[727]: extract_ldap_multi_value_attribute 0-52: While retrieving ldap attribute objectClass, 3 attribute values found for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[336]: check_for_domain_dns 0-52: Extracted attribute, name: objectClass, value: top,domain,domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[340]: check_for_domain_dns 0-52: Found objectClass of type domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[479]: receive_ldap_user_search_event 0-52: Updated usrobj_domaindns for user tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[462]: receive_ldap_user_search_event 0-52: [1]: Object = 0x804a0dd40
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[727]: extract_ldap_multi_value_attribute 0-52: While retrieving ldap attribute objectClass, 5 attribute values found for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[336]: check_for_domain_dns 0-52: Extracted attribute, name: objectClass, value: top,webadmAccount,person,organizationalPerson,user
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[344]: check_for_domain_dns 0-52: Did not find objectClass of type domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[488]: receive_ldap_user_search_event 0-52: Updated usrobj for user tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[518]: receive_ldap_user_search_event 0-52: User DN= <<CN=tom,CN=Users,DC=MYCORP,DC=COM>>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2306]: check_pwd_last_set 0-52: pwdLastSet = 131900013178384044, value = 43457
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2332]: check_max_pwd_age 0-52: maxPwdAge = -9223372036854775808, value = 10675199
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2369]: set_days_for_pwd_exp 0-52: (set_days_for_pwd_exp) INPUT: pwd_last_set = 43457, max_pwd_age = 10675199
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2382]: set_days_for_pwd_exp 0-52: days_since_1970 = 18015, days_since_pwd_last_set = 126, days_for_pwd_exp = 10675073
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[639]: extract_ldap_attribute 0-52: retrieved pwdLastSet value 131900013178384044 for tom, length is 18
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-52: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[639]: extract_ldap_attribute 0-52: retrieved mail value tom@mycorp.com for tom, length is 13
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-52: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[747]: receive_ldap_user_search_event 0-52: extracted attribute, name: mail, value: tom@mycorp.com
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-52: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2140]: build_ldap_group_string 0-52: While building the ldap group string for user tom, group attribute was null
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[793]: receive_ldap_user_search_event 0-52: For user tom, group stringLength 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[805]: receive_ldap_user_search_event 0-52: no group extraction for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[833]: receive_ldap_user_search_event 0-52: User search succeeded, attempting user authentication(Bind) for <tom>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-52: setting timer 28
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1530]: receive_ldap_user_bind_event 0-52: Got user bind event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-52: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[492]: ns_ldap_check_result 0-52: ldap_result found expected result LDAP_RES_BIND
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1539]: receive_ldap_user_bind_event 0-52: Bind OK.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-52: releasing timer 28
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1633]: receive_ldap_user_bind_event 0-52: User authentication (Bind event) for user tom succeeded
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[3809]: send_accept 0-52: sending accept to kernel for : tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[3726]: aaad_alloc_serialize_keyValue_attrs 0-52: Total attribute values to PE : 77, mail=tom@mycorp.com

Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[900]: process_kernel_socket 0-53: partition id is 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1108]: process_kernel_socket 0-53: ns_aaad_decrypt_auth not done
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1143]: process_kernel_socket 0-53: call to authenticate
user :tom, vsid :10973, userlen 3
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[1196]: process_kernel_socket 0-53: call to authenticate
user :tom, vsid :10973, req_flags 2
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5019]: start_cascade_auth 0-53: starting cascade authentication
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5132]: cascade_auth 0-53: starting ldap auth for: tom, sizeof(*ar) is 28, userlen 4
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[117]: start_ldap_auth 0-53: Starting LDAP auth
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[141]: start_ldap_auth 0-53: attempting to do ldap auth for tom @ 192.168.1.10
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[143]: start_ldap_auth 0-53: LDAP referrals are OFF
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[144]: start_ldap_auth 0-53: LDAP referral nesting depth 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[913]: continue_ldap_init 0-53: Connecting to: 192.168.1.10:389
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[919]: continue_ldap_init 0-53: User tom Connecting to: 192.168.1.10:389
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-53: setting timer 29
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-53: releasing timer 29
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[993]: ns_ldap_set_up_socket 0-53: Server certificate hostname = NULL
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1040]: ns_ldap_set_up_socket 0-53: Set cert verify level 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1043]: ns_ldap_set_up_socket 0-53: Getting cipher suite global value
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1046]: ns_ldap_set_up_socket 0-53: Checking non-zero cipher suite
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1056]: ns_ldap_set_up_socket 0-53: NULL cipher suite.  Using default.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1062]: ns_ldap_set_up_socket 0-53: Freeing cipher suite value
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1069]: ns_ldap_set_up_socket 0-53: Done with cipher suite
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1142]: ns_ldap_set_up_socket 0-53: Sectype: 1
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1147]: ns_ldap_set_up_socket 0-53: Successfully established connection to NULL
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-53: setting timer 30
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[197]: receive_ldap_bind_event 0-53: receive ldap bind event

Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[492]: ns_ldap_check_result 0-53: ldap_result found expected result LDAP_RES_BIND
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[209]: receive_ldap_bind_event 0-53: Bind OK
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-53: releasing timer 30
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[278]: receive_ldap_bind_event 0-53: Original slen: 3
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[302]: receive_ldap_bind_event 0-53: User name: dirty = <tom> sanitized = <tom>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[304]: receive_ldap_bind_event 0-53: Admin bind successful, attempting user search event for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1885]: get_otp_attribute 0-53: OTP Secret Attribute name: <userParameters>, length 15
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-53: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1323]: ns_ldap_search 0-53: Searching for <<(| (objectClass=domainDNS) (& (sAMAccountName=tom) (objectClass=*)))>> from base <<dc=MYCORP,dc=com>>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5371]: register_timer 0-53: setting timer 31
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[1347]: ns_ldap_search 0-53: Sent user search query.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-53: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-53: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-53: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-53: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[458]: ns_ldap_check_result 0-53: Got result 0.  Non-event, continuing
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[402]: receive_ldap_user_search_event 0-53: Received LDAP user search event.
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[454]: ns_ldap_check_result 0-53: checking LDAP result.  Expecting 101 (LDAP_RES_SEARCH_RESULT)
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[492]: ns_ldap_check_result 0-53: ldap_result found expected result LDAP_RES_SEARCH_RESULT
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[414]: receive_ldap_user_search_event 0-53: received LDAP_OK
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[5448]: unregister_timer 0-53: releasing timer 31
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[444]: receive_ldap_user_search_event 0-53: Binding user... 2 entries
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[445]: receive_ldap_user_search_event 0-53: Admin authentication(Bind) succeeded, now attempting to search the user tom 
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[448]: receive_ldap_user_search_event 0-53: Number of entires in LDAP server response = 2
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[462]: receive_ldap_user_search_event 0-53: [0]: Object = 0x804a0de80
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[727]: extract_ldap_multi_value_attribute 0-53: While retrieving ldap attribute objectClass, 3 attribute values found for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[336]: check_for_domain_dns 0-53: Extracted attribute, name: objectClass, value: top,domain,domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[340]: check_for_domain_dns 0-53: Found objectClass of type domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[479]: receive_ldap_user_search_event 0-53: Updated usrobj_domaindns for user tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[462]: receive_ldap_user_search_event 0-53: [1]: Object = 0x804a0df00
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[727]: extract_ldap_multi_value_attribute 0-53: While retrieving ldap attribute objectClass, 5 attribute values found for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[336]: check_for_domain_dns 0-53: Extracted attribute, name: objectClass, value: top,webadmAccount,person,organizationalPerson,user
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[344]: check_for_domain_dns 0-53: Did not find objectClass of type domainDNS
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[488]: receive_ldap_user_search_event 0-53: Updated usrobj for user tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[518]: receive_ldap_user_search_event 0-53: User DN= <<CN=tom,CN=Users,DC=MYCORP,DC=COM>>
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2306]: check_pwd_last_set 0-53: pwdLastSet = 131900013178384044, value = 43457
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2332]: check_max_pwd_age 0-53: maxPwdAge = -9223372036854775808, value = 10675199
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2369]: set_days_for_pwd_exp 0-53: (set_days_for_pwd_exp) INPUT: pwd_last_set = 43457, max_pwd_age = 10675199
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2382]: set_days_for_pwd_exp 0-53: days_since_1970 = 18015, days_since_pwd_last_set = 126, days_for_pwd_exp = 10675073
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[639]: extract_ldap_attribute 0-53: retrieved pwdLastSet value 131900013178384044 for tom, length is 18
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1885]: get_otp_attribute 0-53: OTP Secret Attribute name: <userParameters>, length 15
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[575]: extract_ldap_attribute 0-53: While retrieving ldap attributes userParameters attribute not found for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1885]: get_otp_attribute 0-53: OTP Secret Attribute name: <userParameters>, length 15
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[691]: receive_ldap_user_search_event 0-53: Failed to extract attribute, name: userParameters,
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1885]: get_otp_attribute 0-53: OTP Secret Attribute name: <userParameters>, length 15
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[1923]: get_email_attribute 0-53: Email attribute: <mail>, length 5
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_common.c[639]: extract_ldap_attribute 0-53: retrieved mail value tom@mycorp.com for tom, length is 13
0-53: Email attribute: <mail>, length 5


Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[2140]: build_ldap_group_string 0-53: While building the ldap group string for user tom, group attribute was null
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[793]: receive_ldap_user_search_event 0-53: For user tom, group stringLength 0
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[805]: receive_ldap_user_search_event 0-53: no group extraction for tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/ldap_drv.c[811]: receive_ldap_user_search_event 0-53: Authentication is disabled for user tom, finishing ldap authentication
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[3809]: send_accept 0-53: sending accept to kernel for : tom
Sun Apr 28 15:35:20 2019
 /home/build/rs_121_50_16_RTM/usr.src/netscaler/aaad/naaad.c[3726]: aaad_alloc_serialize_keyValue_attrs 0-53: Total attribute values to PE : 77, mail=tom@mycorp.com

 

 

 

Link to comment
Share on other sites

Looks like that was the problem /manageotp was never done.  It would be nice if instead of giving an error that it would redirect to the /manageotp if the account is not enrolled yet.

 

We got an error about NTP Server (Time Server) not having been set.  Once we did that we were able to get it all working.

 

We also followed JG Spiers which had screen shots that made the process easier to follow:

https://www.jgspiers.com/netscaler-native-otp/

 

Is there any documentation on how to set up several hundred OTP accounts that use Azure MFA?  I haven't found an interface in Azure MFA yet that you can paste a list of accounts in to or click select on a bunch of accounts in a listing to send out a link with an invite to configure MFA.  We're working on a project with 100+ user accounts that will be required to use Azure MFA via our on-prem Netscaler pretty soon and knowing a quick & easy way to get users the barcode or at least a link would be great.

Link to comment
Share on other sites

  • 3 months later...

I am having the exact problem, User have successfully enrolled with /manageotp  

userParameters     has been written successfully.

After rechecking all components time it works.

Very sentitive with time

AD, DDC, SF, Netscaler, client Laptop, Mobile device   must exactly have same time.   

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...