Jump to content
Welcome to our new Citrix community!

Edit LoginSchema but wrong result


Recommended Posts

Hi all.

 

One our customer have a Netscaler VPX 13.0.52.24.


On this customer I needed to create a DomainDropDown menu for a Citrix Gateway portal (7 Domain).


I have follow the "old" CTX203873 (Wrong in Expression, becouse example expression REQ.HTTP.HEADER Cookie CONTAINS DOMAIN1 don't work. Correct expression is REQ.HTTP.HEADER Cookie CONTAINS domainvalue=DOMAIN1), and all work fine.

 

Now i need to change from Classic Policy to Advanced Policy (Firmware 13.1 remove classic policy).

 

Ok, fine, i need to change Domain DropDown to nFactor.

 

I followed this steps:

 

- Create AAA vServer

- Download DomainDropDown.xml Login Schema

- Create and Upload MyDomainDropDown.xml Login Schema

- Create nFactor Flow with MyDomainDropDown Login Schema

- Bind nFactor Flow with AAA vServer.

- Bind AAAvServer to Citrix Gateway vServer.

 

Problem:

 

Original MyDomainDropDown.xml have this lines:

 

<DisplayValues>
                            <DisplayValue>
                                <Display>domaindropdown_(select_a_domain)</Display>
                                <Value>unspecified</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.a</Display>
                                <Value>DOMAIN.A</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.b</Display>
                                <Value>DOMAIN.B</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.c</Display>
                                <Value>DOMAIN.C</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.d</Display>
                                <Value>DOMAIN.D</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.e</Display>
                                <Value>DOMAIN.E</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.f</Display>
                                <Value>DOMAIN.F</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>domaindropdown_domain.g</Display>
                                <Value>DOMAIN.G</Value>
                            </DisplayValue>

</DisplayValues>

 

In Login Schema i see:

domaindropdown_domain.a

domaindropdown_domain.b

domaindropdown_domain.c

domaindropdown_domain.d

domaindropdown_domain.e

domaindropdown_domain.f

domaindropdown_domain.g

 

In a browser, when i try to click to (Select a domain) i see:

domaindropdown_domain.a

domaindropdown_domain.b

domaindropdown_domain.c

domaindropdown_domain.d

domaindropdown_domain.e

domaindropdown_domain.f

domaindropdown_domain.g

 

Ok, no problem, i edit original MyDomainDropDown.xml (And create MyDomainDropDown_new.xml in /flash/nsconfig/loginschema) and change dropdown domain name:

DOMAIN.A

DOMAIN.B

DOMAIN.C

DOMAIN.D

DOMAIN.E

DOMAIN.F

DOMAIN.G

 

Now, in MyDomainDropDown_new.xml i see:

DOMAIN.A

DOMAIN.B

DOMAIN.C

DOMAIN.D

domaindropdown_password0

domaindropdown_password1

domaindropdown_password2

 

In a browser, when i try to click to (Select a domain) i see:

domaindropdown_domain.a

domaindropdown_domain.b

domaindropdown_domain.c

domaindropdown_domain.d

domaindropdown_password0

domaindropdown_password1

domaindropdown_password2

 

If i select original MyDomainDropDown.xml in Login Schema, i see:

DOMAIN.A

DOMAIN.B

DOMAIN.C

DOMAIN.D

DOMAIN.E

DOMAIN.F

DOMAIN.G

 

But in a browser, when i try to click to (Select a domain) i see:

domaindropdown_domain.a

domaindropdown_domain.b

domaindropdown_domain.c

domaindropdown_domain.d

domaindropdown_domain.e

domaindropdown_domain.f

domaindropdown_domain.g

 

If i delete both MyDomainDropDown.xml and MyDomainDropDown_new.xml, i reload MyDomainDropDown.xml on /flash/nsconfig/loginschema/LoginSchema and select

MyDomainDropDown.xml in Login Schema, i see:

DOMAIN.A

DOMAIN.B

DOMAIN.C

DOMAIN.D

DOMAIN.E

DOMAIN.F

DOMAIN.G

 

But in a browser, when i try to click to (Select a domain) i see:

domaindropdown_domain.a

domaindropdown_domain.b

domaindropdown_domain.c

domaindropdown_domain.d

domaindropdown_domain.e

domaindropdown_domain.f

domaindropdown_domain.g

 

After investigation i found that the file in /var/netscaler/logon/LogonPoint/custom contain a modified information.

 

I'm going crazy. Can anyone explain to me where I'm wrong?

Thank you.

 

Link to comment
Share on other sites

Don't know if this will help you or not, but we'll give it a try.

There's a couple things that can be causing this depending on what you are looking at in GUI.  And you might be having an issue with where you are editing file (in gui vs cli) and other things.

 

a couple of basics:

SchemaLocations:

1) Built-in default loginschemas are in the /nsconfig/loginschema/LoginSchema/  directory (which I'll refer to as Schema2 for clarity).  These are the default schemas on the system and ideally are used as the basis for custom schemas BUT aren't changed.  

2) Custom schemas that you create manually or by "editing" a built-in schema in GUI results in a copy in the /nsconfig/loginschema/ directory (which I'll refer to as schema1 for clarity below).    When you modify a copy of the built-in schemas OR create your own, ideally, they go here.  The GUI does a lot of this for you...but you can overwrite the wrong one if you aren't careful.

 

About the Schema Editor in GUI:

When you create a custom schema (.xml) file in the GUI editor aka you must be sure the loginschema profile (the pointer to this .xml) file points to the correct one.  And the GUI, makes this a little more challenging than you'd expect.

- When in the edit mode, the editor allows you to select an existing schema (either the built in under the Schema2 directory) or the custom one under the Schema1 directory and allow you to make cosmetic changes. So for the drop down list, it will change the drop down entry "display" name but not the values or number of entries. But if you download the .xml file and change it in an editor, you can change the number of entries, the display value, and the domain value list, and then re-upload to adc (preferably the Schema1 directory).

- The trick is in "SELECTING" the xml file. When you are in the schema editor and you "highlight" the .xml file you want in the folder list on the LEFT and then click OK...you HAVE NOT CHANGED the file the loginschema profile actually points to. (it is counter intuitive).  You have to highlight the file you want in the appropriate directory the Schema1 or the Schema2 directory (again, Schema1 preferred) AND THEN YOU MUST HIT THE SELECT button in the EDITOR pane on the right to point to this file.  (or just start doing the file name via the cli).  I added some screenshots, but it may not make sense without having the GUI in front of you and there may be some differences between 12.1 and 13.

 

Most issues where you start seeing the wrong schema in use are caused by 1) either editing the wrong instance of the file than the one your schema profile is pointing to and/or 2) when you go back into the editor, not realizing that you aren't fully "selecting" the file you thought you were after making changes/correcting because of the "select" button and not just the highlight.  This confusion is compounded if you aren't really sure which file is in which directory (schema1 or schema2) you should be using and then we kind of compound mistakes from there.  

 

One more "fun" thing you can run into. Let's say your loginschema profile points to the correct file name (you see it in the parameter in the GUI). When you go back to editing in the GUI, in the EDITOR screen it shows you THE FIRST SCHEMA in the list and not the one you have specified. You still have to select the actual file you want to view. Now if you cancel or don't actually hit "select" it will not change the file you are pointing to...but this can lead to confusion about which file you are using vs editing in the editor.  (again behavior i've seen on 12.0 and 12.1...not sure if this has "changed" at any point.)

Just be sure when you go back into the editor, you manually select the actual schema file you are trying to edit and minimize unnecessary instances in the directory.

-------

 

I would start by going back to the /nsconfig/loginschema/LoginSchema/ and make sure the files here are still the original files (for future edits); if you found you edited the original dropdown with the original name, you can grab a copy from another adc.

 

Then check your /nsconfig/loginschema/ for your custom files and cleanup/rename any you don't need. And confirm the one you plan to use has the correct .xml contents (displayname/values) and valid xml format.  Confirm filename and path.  Re-download and upload if necessary and pay attention to which directory you are placing it in.

 

Then go back to your loginschema profile and be sure this is actually pointing to the correct /nsconfig/loginschema/<filename.xml>  as you confirmed previously. Whether gui or cli. If GUI and you edit, choose file in correct pick list directory (Schema1 and not Schema2). Highlight in LEFT pane, click "select" in right-pane and then OK. When you see schema, the xml filename and path should match.

 

Finally, be sure your loginschema policy points to this loginschema. And retest your nfactor config.

 

I would also maybe just start with just 2 or 3 domains and then add the rest in when its working.

-------------

Additional thoughts on your displays/values and expressions:

1) You can just list the domain Name (display) and value as domainA vs domainB.  Though the example did use the "domaina.com" in the value field.  The attached sample was modified from the builtin onlydomaindropdown.xml (in the schema2 directory).  

2) In the examples, I've done with the above, the policy expression for the advanced nfactor policies to evaluate based on selected domain just used this expression:  'HTTP.REQ.BODY(50000).CONTAINS("WORKSPACELAB")'  

 

Though there is more than one way to do this and if the other format/expression is working for you, then feel free to continue using it.  Remember, that contains and eq are both case-sensitive in the advanced engine so match the value you actually configure in the drop down <value>...</value> field OR use set_text_mode(ignorecase).

 

 

 

 

 

 

 

 

 

 

 

screenshot_schema.jpg

OnlyDomainDropdown3.xml

Link to comment
Share on other sites

Hi Rhonda,

 

Thanks for reply.

 

Yes, if i create a xml file with these lines, all work fine:

 

                    <ComboBox>
                        <InitialSelection>unspecified</InitialSelection>
                        <DisplayValues>
                            <DisplayValue>
                                <Display>domaindropdown_(select_a_domain)</Display>
                                <Value>unspecified</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAINA</Display>
                                <Value>DOMAIN.A</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAINB</Display>
                                <Value>DOMAIN.B</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAINC</Display>
                                <Value>DOMAIN.C</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAIND</Display>
                                <Value>DOMAIN.D</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAINE</Display>
                                <Value>DOMAIN.E</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAINF</Display>
                                <Value>DOMAIN.F</Value>
                            </DisplayValue>
                            <DisplayValue>
                                <Display>DOMAING</Display>
                                <Value>DOMAIN.G</Value>
                            </DisplayValue>
                        </DisplayValues>
                    </ComboBox>

 

The problem appears when I create a generic xml file and try to modify it (DomainDropDown2.xml is a generic xml file with no specific Dispaly info):

 

image.thumb.png.364a6709d0be44c5c3da068b64c34a81.png

 

image.thumb.png.a2cbddbbab1904a7da6b1b7223b703f1.png

 

In browser:

 

image.png.282e9b5fb0f47c583db830b20174f484.png

 

When i edit it:

 

image.png.79b5d346e0a389c4a5eb95df086db972.png

 

image.thumb.png.045b1d36d32cbd0bf7caecb64822fbad.png

 

image.thumb.png.5b8c174c781ddd4378213dd6ccd32b7b.png

 

In the Browser:

 

image.png.ffbc24dd974c088115b7e2d2d0b677ab.png

 

If i select OLD original xml file DomainDropDown2.xml:

 

image.thumb.png.f80109e47d3364a7be1fa7583893bf0c.png

 

image.thumb.png.71d801127ac5ad9db58389d41f2a79d6.png

In the Browser:

image.png.71e4652ac87f566576b2252bd6fa8a37.png

 

Thanks.

 

Link to comment
Share on other sites

1) Be sure your browser isn't caching content.   As this may be the biggest culprit.   (In firefox, for example: use about:config to set the cache.check_doc_frequency value from 3 to 1 AND be sure to clear all cache and reload to see actual results.  You'll have to look up options for clearing cache in chrome.  Use Shift+F5 or Shift+Refresh to force reload in some cases to make sure.)

 

2) You are still bouncing between the /nsconfig/loginschema/<filename> and /nsconfig/loginschema/LoginSchema/<filename> field.  I know you are trying to show me the different behaviors...but without looking at the files, to know what's different...its hard to see if the xml file is the problem or the editing process is.

 

3) The GUI editor ONLY changes displays and not underlying values. For that you have to download, edit locally, and re-upload.

 

Now, if the original file worked and your new files aren't , then there is probably an ill-defined xml definition causing it to mess up the display.

 

I think you are having two or three issues at once.  The cache + a malformed xml file with your new values.  

 

So, just to clarify, what do you want the dropdown list display fields to show AND what do you want the "values" under the hood to show for expression purposes. (AND Share the .xml files you are working).  Because even I'm confused at this point as to whether the issue 1) I'm not seeing the file I think I'm pointing to or 2) the file I'm using isn't working or 3) all of the above.

 

One other recommendation:  Instead of creating a custom xml file from scratch (which is what I thought you said you were doing, but if not, I misunderstood), start with the default/builtin onlydomaindropdown or the dropdown (with username/password) as the starting point. Download it locally and edit and then re-upload. Or compare its xml with your custom file so we can find out if there is a problem in the definition.  Or compare if it is an issue with 13.x vs other version to interpret the file.  

 

It might be a 13.x issue....but I think there is something in the file itself that is compounding problems.

 

So, if you can share your xml file, then we can eliminate the file itself as the problem.

 

 

 

Link to comment
Share on other sites

I think there is an issue with the editor generated copy of the original domaindropdown.xml file (from /var/loginschema/LoginSchema).

And I don't think the issue is the editing process.

 

If you drop all the domaindropdown_ or domaindropdown_new_<name>  parts and just keep the display name/value it seems to work.

Which is what you would expect after editing the domain only xml file.

 

So, I would start with the original file, download locally, save as new name locally. Update the "expected" way and then upload to the schema1 directory as whatever file name you want to track it is.  Example:   /var/loginschema/domaindropdown_v1.xml. And then use this in your login test and expression test.  And just don't edit in gui; just locally.  At least see if this solves your problem:

 

2 domains below (In RED) just so you can see them. I would then modify the PURPLE to omit the domaindropdown_new_  value as well and see if this works as expected for you.

 

I have no idea why this one edits differently than the other (I was on 12.1 and saw the same as you.)

 

If it still doesn't work and no one else chimes in...check with support as that is bizarre and unexpected.

 

==================

 

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>domaindropdown_new_user_name</Text><Type>nsg-login-label</Type></Label><Input><AssistiveText>domaindropdown_new_please_supply_either_domain\username_or_user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>domaindropdown_new_password</Text><Type>nsg-login-label</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>domain</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><ComboBox><InitialSelection>unspecified</InitialSelection><DisplayValues><DisplayValue><Display>domaindropdown_new_(select_a_domain)</Display><Value>unspecified</Value></DisplayValue><DisplayValue><Display>domainA</Display><Value>domainA</Value></DisplayValue><DisplayValue><Display>domainB</Display><Value>domainB</Value></DisplayValue></DisplayValues></ComboBox></Input></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>domaindropdown_new_please_select_domain_to_continue_login_...</Text><Type>nsg_confirmation</Type></Label><Input/></Requirement>
<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>domaindropdown_new_log_on</Button></Input></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...