Jump to content
Welcome to our new Citrix community!

WebAuth authentication log sequence


Recommended Posts

Hi,

 

We are facing issues trying  to  do authentication on our Netscaler.  I would like to ask to forum members by reading this log if anyone could tell me the meaning to look for where is the problem.

 

We have configure Webauth and LDAP (nfactor) using Netscaler Gateway (not LB) -> https://support.citrix.com/article/CTX216091. After several retries, we can only get this with user 'user1234@teleh2o.com' on ns.log:

 

"Apr 29 21:02:53 <local0.info> 198.168.16.16 04/29/2020:19:02:53 GMT adc01 0-PPE-0 : default AAA Message 639 0 :  "(0-17) send_authenticate_pdu: Sending Preamble"
Apr 29 21:02:53 <local0.notice> 198.168.16.16 04/29/2020:19:02:53 GMT adc01 0-PPE-0 : default AAA Message 640 0 :  "(0-17): Reply Received"
Apr 29 21:02:53 <local0.info> 198.168.16.16 04/29/2020:19:02:53 GMT adc01 0-PPE-0 : default SSLVPN Message 641 0 :  "WEBAUTH: AAAD delegated WebAuth to Packet Engine, beginning web authentication"
Apr 29 21:02:54 <local0.info> 198.168.16.16 04/29/2020:19:02:54 GMT adc01 0-PPE-0 : default AAA Message 642 0 :  "Core 0: aaad_authenticate_req: current auth failed for user1234@teleh2o.com, rest of the bitmask 0x0 "
Apr 29 21:02:54 <local0.info> 198.168.16.16 04/29/2020:19:02:54 GMT adc01 0-PPE-0 : default AAA Message 643 0 :  "Core 0: aaad_authenticate_req: Auth failed, no further policies in current factor, sending default loginschema for user user1234@teleh2o.com "
Apr 29 21:02:54 <local0.warn> 198.168.16.16 04/29/2020:19:02:54 GMT adc01 0-PPE-0 : default AAA LOGIN_FAILED 644 0 :  User user1234@teleh2o.com - Client_ip 93.170.175.186 - Failure_reason "Username/Password mismatch" - Browser Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Apr 29 21:02:54 <local0.info> 198.168.16.16 04/29/2020:19:02:54 GMT adc01 0-PPE-0 : default AAA Message 645 0 :  "Authentication rejected for user1234@teleh2o.com (client ip : 93.176.185.186 , vserver ip: 198.168.16.18  ) due to the following error code : "
Apr 29 21:08:10 <local0.info> 198.168.16.16 04/29/2020:19:08:10 GMT adc01 0-PPE-0 : default AAA Message 646 0 :  "(0-18) send_authenticate_pdu: Sending Preamble"
A"

 

If we use aaad.debug module, we get this at same time:

 

"Wed Apr 29 21:08:10 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[837]: process_kernel_socket 0-18: partition id is 0
Wed Apr 29 21:08:10 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[1042]: process_kernel_socket 0-18: ns_aaad_decrypt_auth not done
Wed Apr 29 21:08:10 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[1084]: process_kernel_socket 0-18: call to authenticate
user :ruser1234@teleh2o.com, vsid :10109, req_flags 2
Wed Apr 29 21:08:10 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[3955]: start_cascade_auth 0-18: starting cascade authentication
Wed Apr 29 21:08:10 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[4091]: cascade_auth 0-18: Delegating web auth to kernel for : user1234@teleh2o.com
Wed Apr 29 21:08:13 2020
 /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[635]: main 0-0: timer 2 firing..."

 

Could you tell me by this reading, where I should continue to get more error info or if you could, tell me what is happening here, please?

 

Kind regards

Link to comment
Share on other sites

I am not 100% sure.

It seems like there is no attempt to authenticate this user. This /home/build/rs_120/usr.src/netscaler/aaad/naaad.c[635]: main 0-0: timer 2 firing..." has no special meaning. I don't see any authentication attempt to LDAP. I have written a blog about how to understand an aad.debug file. From there you could see what a normal authentication attempt would look like. I am missing a message like: /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[4795]: cascade_auth 0-14029: starting ldap auth for: user1234@teleh2o.com, sizeof(*ar) is 28, userlen 21. This would usually be the next message telling you, it started doing LDAP, but this message is missing, so there are definitely no authentication attempts to any source. AAA deamon does not do anything, but pass control back to NetScaler local authentication.

 

Double check all policy conditions. I guess, they are not hit.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...