Jump to content
Welcome to our new Citrix community!

Citrix Netscaler nFactor OTP (Multiple Domains)

Tom Swift

Recommended Posts

We're kind of getting stuck after modifying the manageotp policy expression under Policy Labels.


This is what we have first for the policy expression:



However there is no way to determine the domain the user logged in as:


User: MYCORP\TestUser



So we added a domain filter 

HTTP.REQ.COOKIE.VALUE("NSC_TASS").EQ("manageotp") && AAA.USER.DOMAIN.EQ("mycorp") && AAA.USER.IS_MEMBER_OF("mycorp_citrixexternalusers") 

If we try this it skips all the policies and in the gets to the end and the user attempting to logon gets a no policy message.


Tried to simplify it a bit:




Still doesn't get a hit so instead of EQ (equal) we try CONTAINS:



Double checked that the domain name is using the correct / exact case and it is.


Anyone have some magic??

Link to comment
Share on other sites

  • 4 weeks later...

AAA.LOGIN.DOMAIN refers to the domain selected on a login schema page.  Only useful if last factor before examining.

Presumably, domain is in distinguished name so:

1. On LDAP server do a "More" at bottom of page.

2. In Attributes add "distinguishedName" without the quotes in one of the firelds.  I suggest attribute 3 or greater as 1,2 may be name/password passing to Storefront if that's part of your implementation.

3. You can then use an expression like, AAA.USER.ATTRIBUTE(3).TO_UPPER.CONTAINS(“MYDOMAIN”)


This works. I am using it to select Session Policy

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...