Jump to content
Welcome to our new Citrix community!

ManageOTP url not working

Recommended Posts

I used the NFactor flow to create it.


My First Factor I created a policy with the lowest priority. the Action type is no_auth and the expression is "http.req.cookie.value("NSC_TASS").eq("manageotp")"


I have a content switching virtual server setup and the expression for that policy is "is_vpn_url||HTTP.REQ.URL.CONTAINS("/manageotp")"


My VPN is an access gateway for citrix.


I attached the flow, but not sure if that will help much.




Link to comment
Share on other sites

Is the actual path when users connect /ManageOTP or /manageotp

your policy for the path (not the cookie one) is dependent on a case-sensitive match of .eq("/manageotp"

to make it case-insensitive:  http.req.url.set_text_mode(ignorecase).contains("/manageotp")

Since you are doing a CS policy, are you seeing errors in the request, indicating the cs policy can't handle the "manageotp" requests?  That is an indication the cs policy is not catching the right traffic.


Other thoughts:

Assuming this isn't because of the missing ignorecase expression above, sometimes the easiest way to diagnose is start with the vpn + authentication vserver config with a single flow like OTP only and see if it works on its own before trying to do nfactor. Then we know if the issue is OTP config OR the nfactor config or both.


Common issues in nfactor are loginschema profiles pointing to the wrong loginschema file (because of how the gui works).

OTP policy issues in the OTP definition and possibly missed OTP setting in the ldap policy.


This article might help with just the OTP setup (plus debug info in aaad.debug) without the rest of the nfactor config:  https://support.citrix.com/article/CTX228454

Alternative example:  https://www.jgspiers.com/netscaler-native-otp/


Finally, check your syslog for gateway deny messages in case it is related to authorization/issues (which I wouldn't expect at this point, but which is why we check):



cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED

# this will output events except for those generated by config changes in gui/cli...


To output commands in your config (you can still sanitize as needed):

show ns runningconfig | grep <vpn vserver> -i

show ns runningconfig | grep <authetncation vserver> -i

show ns runningconfig | grep <authe policies> -i


You might just need to confirm the OTP and LDAP policies for parameters/typos too.




  • Like 1
Link to comment
Share on other sites

  • 9 months later...
On 5/21/2020 at 6:37 PM, Kevin Kelly1709152715 said:

Thanks that was a huge help. I am able to access manageotp and register devices now using the jgspiers article.


Now though When I login I am seeing "External authentication server denied access" in the logs?

Hi, I am having a similar issue right now. Could you explain where you have had the typo that caused ?"External authentication server denied access"?

Thank you, Andreas.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...