Jump to content
Welcome to our new Citrix community!

NetScaler Authentication policy order modifications

Recommended Posts



We have setup NetScaler VPX in double Hop with the following authentication policies


Primary : LDAP ( Active Directory)

Secondary : Radius ( RSA)


The requirement is while the password field would have LDAP followed by RSA , Netscaler should attempt RSA authentication first followed by LDAP


This to ensure we can minimize account lockout risks


The following was tried

Reverse the authentication policies to Radius (primary) followed by LDAP

Portal Theme was unchanged

Password --Active Directory

Password 2-- RSA

Swapped the password order in gateway_login_form_view.js as below

var enter_passwd2 = $("<input type='password'></input>").attr({'id':'passwd','class':'prePopulatedCredentials','autocomplete':'off', 'spellcheck' : 'false',  'name' :'passwd', 'size':'30', 'maxlength' : '127',"width":"180px"});

        var enter_passwd_dummy = $("<input type='password'></input>").attr({"id":"dummy_pass1","name":"dummy_pass1","style":"display:none"});

        var enter_passwd = $("<input type='password'></input>").attr({'id':'passwd1','class':'prePopulatedCredentials','autocomplete':'off', 'spellcheck' : 'false',  'name' :'passwd1', 'size':'30', 'maxlength' : '127',"width":"180px"});

        var enter_passwd2_dummy = $("<input type='password'></input>").attr({"id":"dummy_pass2","name":"dummy_pass2","style":"display:none"});


While the authentication order worked perfectly on browsers , it fails whilst attempting to login via Citrix SSO app (used for full VPN on MAC)


Would be grateful if anyone could advice if we could achieve the desired action using any other method




Link to comment
Share on other sites



Thanks Sam,


Yes, Credential index is changed and set to secondary to pass LDAP credentials to Storefront , from a browser all works , we get failed authentication only through Citrix SSO downloaded from AppStore.


It appears Citrix VPN (Citrix SSO) application does not refer to the gateway login form for swapped password fields which is causing us issues


Am not sure if we could achieve Radius authentication to go first and then cascade the auth to LDAP using responder policies?

Link to comment
Share on other sites

Before you try a rewrite, try re-labeling them in the portal theme.  See this section:  https://www.carlstalhood.com/netscaler-gateway-12-tweaks/

Where you can change the Password and Password2 field titles (keep searching on authentication until your in the ballpark of the portal themes customizations).


If you still need the rewrite policy, this isn't the exact example as it shows a rewrite to "delete" a field. But once you get in the right spot a modify/replace should be similar. Can't mock it up right now, but see if this gets you to the correct point:  https://www.tech.xenit.se/remove-password-2-rfwebui/?es_p=5239593&es_p=5239706


Or someone else might be able to get you a more complete answer.

Link to comment
Share on other sites

The post you are referring to is doing the same thing that you tried - switching RADIUS to PRIMARY auth and LDAP to SECONDARY auth - but by using rewrite policies instead of making the modifications manually. Maybe Citrix SSO is assuming that LDAP is always primary … ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...