Jump to content
Welcome to our new Citrix community!

Duo - Removing Password2 Field

Gregor Blaj

Recommended Posts



I'm setting up Duo multi-factor authentication and there is a requirement to remove the password2 field from the login page. The field has to be removed (not hidden) in a way so that nothing is sent upon a login, rather than a blank value (otherwise logins fail). Their documentation (https://duo.com/docs/citrix-netscaler-alt) states to add the following rewrite action/policy but I'm not sure why it is not applying.


I can confirm the policy is getting hits, but if I examine 'gateway_login_form_view.js' in a browser, it has not been modified. From what I can see, the idea is to prevent the "if (pwc ==2" statement from executing.

add rewrite action rw_act_insert_var_DUO_ENABLED insert_before_all "HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)" "\"var DUO_ENABLED = true;\"" -pattern "if (pwc ==2"
add rewrite action rw_act_insert_DUO_ENABLED insert_after_all "HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)" "\" && !DUO_ENABLED\"" -pattern "if (pwc ==2"

add rewrite policy rw_pol_insert_var_DUO_ENABLED "HTTP.REQ.URL.CONTAINS(\"gateway_login_form_view.js\")" rw_act_insert_var_DUO_ENABLED
add rewrite policy rw_pol_insert_DUO_ENABLED "HTTP.REQ.URL.CONTAINS(\"gateway_login_form_view.js\")" rw_act_insert_DUO_ENABLED
  • NS Version: NS12.1 51.19.nc
  • Theme: X1

Thanks for any help.

Link to comment
Share on other sites



Yes, it's bound as type 'Response', see below. I also just tried the default theme and seeing the same results.

bind vpn vserver NG1 -policy rw_pol_insert_var_DUO_ENABLED -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind vpn vserver NG1 -policy rw_pol_insert_DUO_ENABLED -priority 110 -gotoPriorityExpression END -type RESPONS

Thanks again.

Link to comment
Share on other sites

On 6/15/2019 at 0:20 AM, Silvio Balduzzi1709153051 said:



For removing the second password field you can remove the "Authentication" check into NetScaler Gateway configurations and create a rewrite policy:





 Doesn't that cause authentication to always succeed? The code in my original post should remove the field, but the rewrite doesn't seem to be working.


The alternative in my case would be to auto populate the 'password2' field with an authentication method value (such as 'push') and then hide it. Is it possible to auto populate it?

Link to comment
Share on other sites

On 6/21/2019 at 9:49 PM, Silvio Balduzzi1709153051 said:

No, if you remove the Authentication flag it only blocks direct access to Citrix resources.

In this case, access can only be performed after performing Duo authentication.

I have this configuration in my lab environment and it's ok.


Have you the possibility to try this?




I haven't had a chance to test yet. The article doesn't say to remove the authentication option though, why is this required? Also, should I be removing it on the Radius server or LDAP?

Link to comment
Share on other sites

  • 1 year later...
On 7/1/2019 at 3:43 AM, Silvio Balduzzi1709153051 said:

If you remove the authentication flag from the LDAP you remove the second password request to the authentication form and permit to view the duo authentication request form after the classic username and password request.






Removing authentication on LDAP server will not work.

In fact it will remove 2nd password but if user log with correct username and wrong password, after DUO proceed, user will receive Cannot Complete your request message ...


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...