Jump to content
Welcome to our new Citrix community!

Cannot access /manageotp: Failure_reason "External authentication server denied access"


tylital520

Recommended Posts

Hi,

 

I have configured OTP exactly as instructed on iRANGERS page: https://www.irangers.com/netscaler-native-otp-limit-enrollment-one-device/

 

If I try to access /manageotp I get the following error "Try again or contact your help desk".

 

If I enter e.g. #@12345 to users userParameters AD-attribute and try to login it takes me to UG-OTP-2FA-Verify_pollabel and shows me the OTP-Passcode-Only_lschema login schema. So that works as it should. And if I try to login with that attribute empty (not trying to enroll a device first) it allows limited access as it should. So LDAP authentication works. But I cannot access /manageotp

 

In var/log/ns.log I have the following error:

Feb 13 08:15:52 <local0.info> xxx.xxx.xxx.xxx 02/13/2020:06:15:52 GMT netscaler 0-PPE-0 : default AAATM Message 14734 0 :  "Failed to extract OTP secret from aaad, current factor: UG-OTP_Mgmt-NoSchema_pollabel, for user: user123 "
Feb 13 08:15:52 <local0.warn> xxx.xxx.xxx.xxx 02/13/2020:06:15:52 GMT netscaler 0-PPE-0 : default AAA LOGIN_FAILED 14735 0 :  User user123 - Client_ip xxx.xxx.xxx.xxx - Failure_reason "External authentication server denied access"
Feb 13 08:15:52 <local0.info> xxx.xxx.xxx.xxx 02/13/2020:06:15:52 GMT netscaler 0-PPE-0 : default AAA Message 14736 0 :  "Authentication is rejected for user123 (client ip : xxx.xxx.xxx.xxx, vserver ip: xxx.xxx.xxx.xxx    ), extended error, if any : "

Last lines of cat /tmp/aaad.debug:

Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_common.c[584]: extract_ldap_attribute 0-224: While retrieving ldap attributes userParameters attribute not found for user123
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[2420]: get_otp_attribute 0-224: OTP Secret Attribute name: <userParameters>, length 15
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[706]: receive_ldap_user_search_event 0-224: Failed to extract attribute, name: userParameters,
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[2420]: get_otp_attribute 0-224: OTP Secret Attribute name: <userParameters>, length 15
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[2458]: get_email_attribute 0-224: Email attribute: <mail>, length 5
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_common.c[648]: extract_ldap_attribute 0-224: retrieved mail value user123@company.com for user123, length is 22
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[2458]: get_email_attribute 0-224: Email attribute: <mail>, length 5
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[769]: receive_ldap_user_search_event 0-224: extracted attribute, name: mail, value: user123@company.com
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[2458]: get_email_attribute 0-224: Email attribute: <mail>, length 5
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[866]: receive_ldap_user_search_event 0-224: For user user123, group stringLength 128
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[875]: receive_ldap_user_search_event 0-224: built group string for user123 of:
CTX-NS-OTP

Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/ldap_drv.c[905]: receive_ldap_user_search_event 0-224: Authentication is disabled for user user123, finishing ldap authentication
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[3923]: send_accept 0-224: sending accept to kernel for : user123
Thu Feb 13 11:50:59 2020 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[3840]: aaad_alloc_serialize_keyValue_attrs 0-224: Total attribute values to PE : 61, email=user123@company.com

In the LDAP Action I am using the domain Administrator account as bind-account and the "Test LDAP Reachability" passes just fine. I have checked the LDAP actions several times and also tried using another bind account, but no luck.

 

I am using a custom there based on RfWebUI, and also tried with the default RfWebUI theme. HSTS is disabled. Any ideas what could be causing this?

 

 

Link to comment
Share on other sites

  • 5 months later...

I have same issue.

I have implemented quite complex nFactor authentication path with OTP and Password reset using iRangers blog as a base.

I have implemented only in lab and did not go live at that time. It was a year ago on Netscaler 12. Thanks God for that.

 

Since then I have upgraded to 13.0.58 (latest as of now) and try to go back to my nFactor. It is not working.

I have same error as you and can not get to OTP manage page.

 "otpsecrets are not from aaad, probably no devices yet."

 "Failed to extract OTP secret from aaad, current factor: UG-OTP-Mgmt-NoSchema_pollabel, for user:

 

I checked Citrix OTP page. Will need to start from scratch. they have some extra steps for setting up LDAP_noauth, but they are not working as well as of now:

 

Scroll down to the Other Settings section. Use the list to select the following options.

Server Logon Name Attribute as New and type userprincipalname.

Use the list to select SSO Name Attribute as New and type userprincipalname.

Enter “UserParameters” in the OTP Secret field and click More.

Enter the following Attributes.

Attribute 1 = mail Attribute 2 = objectGUID Attribute 3 = immutableID

 

I will update if I find solution. Let me know if you solved this issue in anyway.

Thanks.

Link to comment
Share on other sites

  • 1 month later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...