Jump to content
Welcome to our new Citrix community!

nFactor / Customized LoginSchema and Gateway Theme


Kari Ruissalo

Recommended Posts

We found out a possible bug in one customer deployment (12.1-57.18) where we were tasked to create a customized Theme (RfWebUi -based, no "under the hood" modifications, just from the GUI) for the Gateway and build nFactor setup.

 

So, we're running a Gateway which delegates the authentication responsibilities to AAA vServer, but we were required to use a LoginSchema to allow one username field, one for OTP and one for LDAP password.

 

If we use the DualAuth.xml as a template and then switch the "password" and "passcode" fields from the editor and give the template a new name like CompingDualAuth.xml, we're seeing that in the logon page the texts are

 

CompingDualAuth_please_log_on

CompingDualAuth_user_name

CompingDualAuth_password

CompingDualAuth_passcode

 

This only happens when the customized theme is applied. If we switch to an builtin theme like the default RfWebUi, the fields are shown properly.

 

We downloaded the generated XML file and we could see the following:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement>
<Credential><Type>none</Type></Credential>
<Label><Text>CompingDualAuth_please_log_on</Text><Type>nsg-login-label</Type></Label>
<Input/>
</Requirement>
<Requirement>
<Credential><ID>login</ID><SaveID>login</SaveID><Type>username</Type></Credential>
<Label><Text>CompingDualAuth_user_name</Text><Type>nsg-login-label</Type></Label>
<Input><Text><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>passwd</ID><SaveID>passwd</SaveID><Type>password</Type></Credential>
<Label><Text>CompingDualAuth_password</Text><Type>nsg-login-label</Type></Label>
<Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>passwd1</ID><SaveID>passwd1</SaveID><Type>password</Type></Credential>
<Label><Text>CompingDualAuth_passcode</Text><Type>nsg-login-label</Type></Label>
<Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>savecredentials</ID><SaveID/><Type>savecredentials</Type></Credential>
<Label><Text>CompingDualAuth_remember_my_credentials</Text><Type>nsg-login-label</Type></Label>
<Input><AssistiveText>CompingDualAuth_</AssistiveText><CheckBox><InitialValue>false</InitialValue></CheckBox></Input>
</Requirement>
<Requirement>
<Credential><ID>Logon</ID><Type>none</Type></Credential>
<Label><Type>none</Type></Label>
<Input><Button>CompingDualAuth_submit</Button></Input>
</Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

Then we compared it to the original DualAuth.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement>
<Credential><Type>none</Type></Credential>
<Label><Text>dualauth_please_log_on</Text><Type>nsg-login-label</Type></Label>
<Input/>
</Requirement>
<Requirement>
<Credential><ID>login</ID><SaveID>login</SaveID><Type>username</Type></Credential>
<Label><Text>dualauth_user_name</Text><Type>nsg-login-label</Type></Label>
<Input><Text><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>passwd</ID><SaveID>passwd</SaveID><Type>password</Type></Credential>
<Label><Text>dualauth_password</Text><Type>nsg-login-label</Type></Label>
<Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>passwd1</ID><SaveID>passwd1</SaveID><Type>password</Type></Credential>
<Label><Text>dualauth_passcode</Text><Type>nsg-login-label</Type></Label>
<Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>savecredentials</ID><SaveID/><Type>savecredentials</Type></Credential>
<Label><Text>dualauth_remember_my_credentials</Text><Type>nsg-login-label</Type></Label>
<Input><AssistiveText>dualauth_</AssistiveText><CheckBox><InitialValue>false</InitialValue></CheckBox></Input>
</Requirement>
<Requirement>
<Credential><ID>Logon</ID><Type>none</Type></Credential>
<Label><Type>none</Type></Label>
<Input><Button>dualauth_submit</Button></Input>
</Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

... and the only difference we were able to spot was that the prefix is "dualauth_" instead of "CompingDualAuth_".

 

I got this resolved by copying the original DualAuth.xml to new name "CompingDualAuth.xml" (stored under /nsconfig/loginschema) and then modifying the password and passcode fields as per requirement. Now we're seeing this working properly.

 

I think this might be a bug in how the LoginSchemas are constructed?

Link to comment
Share on other sites

I saw the same thing earlier this year helping someone else with a custom schema on a v13 build (thread for reference):  https://discussions.citrix.com/topic/408275-edit-loginschema-but-wrong-result/

 

You may have to go through support to log an actual bug, but on certain versions, the "custom edit" vs the download and edit have some issues.

 

Link to comment
Share on other sites

  • 2 weeks later...

Seems similar, but we had that issue with the user name, password and passcode fields. Fortunately I found a way around this issue, but this might be something that pops up again if we upgrade the firmware or modify the schema or theme via GUI.

 

This is a bit challenging to trace for support as it is our customers environment that I don't have direct access to.

 

I suppose someone from Citrix reads these forums and possibly picks this up, but I'll send this to our local SE so he can bring it up to developments attention.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...