Jump to content
Welcome to our new Citrix community!

Did Vulnerability Mitigation Steps Break LDAP?

Recommended Posts

We have a 2 member HA Pair of Netscaler virtual appliances. Besides using these as application gateways, we also use the Netscaler as an LDAP/LDAPS load balancer.


Yesterday we went through the steps outlined in https://support.citrix.com/article/CTX267679 to mitigate a security vulnerability for the HA Pair.  All steps appeared to complete successfully. However, when we came in this morning we discovered that one of our critical applications could no longer authenticate to the LDAP server (the Netscaler).


We tried to go through the "revert" steps outlined in the article above, but authentication still failed. (So now I'm wondering if the revert steps actually worked?  Am I really back to where I was yesterday before I started all this? Or am I in some kind of halfway-in, halfway-out situation?


We are currently working around the LDAP authentication issue by pointing users directly to an LDAP server instead of the NetScaler.  (So no load balancing.)


I am opening a ticket with support but I'm wondering if anyone else has seen something similar? Also, if anyone has any tips on what logs/services/etc we might look at, I'd appreciate it. Right now we're just jiggling some wires trying to see if we can get it back working again, and I'm not sure how to test it other than to enter the NetScaler IP/DNS name into our critical appliance and see if it somehow magically starts working again.


Link to comment
Share on other sites

You mentioned that one of your applications is not working. Do you have other applications authenticating to LDAP which are  working? 

While the mitigation should not be affecting LDAP per se, it is  possible that it might be affecting applications through the NetScaler via CVPN (clientless VPN).


Simply unbinding the responder policy and running the following command:

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=1

should bring the NetScaler back to the original state.

You will also need to remove the nsapimgr_wr.sh command from rc.netscaler, so it doesn't get executed when the NetScaler is rebooted.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...