Jump to content
Welcome to our new Citrix community!

Certbased Auth ADC setting "Anonymous" in Userfield in Chrome and FireFox

Julian Jakob

Recommended Posts



I've created nFactor Config with the following auth factors:


- If Usercert is available, ADC is adopting the Username extracted from the UPN in the Cert + LDAP Password

- If no Usercert is available, ADC is showing Gateway Login for Username + LDAP Password + RADIUS


I configured this several times from George, see https://www.jgspiers.com/nfactor-authentication-with-netscaler-gateway/


The only two things which changed now are the ADC Buildversion (latest 12.1) and I edited the XML and replaced ${HTTP.REQ.USER.NAME} with ${AAA.USER.NAME}


Attached my XML Sheet for the CertExtract Login Schema.


Using Internet Explorer from a non-corp device (no Usercert) nFactor is working fine and I have to login with the second factor RADIUS.


Using Google Chrome or FireFox from a non-corp device (no Usercert) nFactor is not working correctly, Username is filled with "Anonymous" and fixed out. So the Fallback to my second factor (Radius) seems not to work. Attached a Screenshot. It's not possible to get the second factor or logon.


Logs in correct order:


- default SSLVPN Message 88426 0 : "Created nFactor session for user j_jakob"

- default AAA LOGIN_FAILED 88429 0 : User j_jakob - Client_ip XXX - Failure_reason "External authentication server denied access"

- default SSLVPN Message 82930 0 : "Created nFactor session for user Anonymous"


Why is this even possible to create a session for "Anonymous" ? Any Ideas? I think problem is on the browser-side, but why?... What's different between IE and Chrome / FireFox?


Thanks and Best Regards



Certbased Auth.JPG

Link to comment
Share on other sites

  • 2 weeks later...

Turns out that Chrome and Firefox are supporting TLS 1.3, but only for Webtraffic. For using certbased Auth there is a problem / mismatch with the three TLS 1.3 Cipher Suites from the ADC.


Disabled TLS 1.3 on my Content Switch / AAA and only enable TLS 1.2 -> Works.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...