Jump to content
Welcome to our new Citrix community!

otp for password expiry via Netscaler

Arun Kumar K R

Recommended Posts

Hi All,


There is an requirement as below and request your guidance if this can be achieved. 


We have a Netscaler 13.0.67 which has LDAP and Azure MFA (for 2nd factor Radius) for external connecting users. On password expiry, users can change the password without any issues (at this step OTP will not generate). 

But, i would like to know if there is any way to generate OTP to change the password too. If yes, could you please provide the steps to configure the same. 


Thank you in advance. 

Link to comment
Share on other sites

On 12/24/2020 at 12:18 PM, Carl Stalhood1709151912 said:

Maybe swap authentication so OTP is done first?


Using OTP first always is recommended for security and convenience reasons. OTP usually is not very strong (4-6 characters or digits), however you can't hack it permanently. So even if you guess the OTP, you can't brute-force the LDAP password.


It you use the other order, you would have to brut-force the LDAP password. Guessing the OTP is easy.


There is an other reason: A brute-force attack against the LDAP password could potentially lock out the legitimate user working from inside. A brute-force attack against the OTP will lock out this user from RADIUS, trigger an alert, but not harm AD. So IT will have plenty of time to track back the attacker, while the user affected does not even realize there is something going on.


Just my 2 cents


Johannes Norz


my blog: https://blog.norz.at

my test environment: https://wonderkitchen.network

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...