Jump to content
Welcome to our new Citrix community!

OTP Registration with OTP Authentication / nFactor Flow


Recommended Posts

Hi

Our users should be able to registrate OTP devices from external with authenticating by username and password (do not discuss the security topic of that, we know it).

So, a user without registred device, should be able to login on netscaler with MS AD-Authentication and register the device.

A user who already has a registred device, he should be authenticated by username, password and OTP, then he should get to the registration page to register a new device (for example in case of changing it).

We safe the otp-parameters in an AD attribute of the user.

For that we created an nFactor Flow, which is running well, but in the end after the final verification of OTP there is the message "Replay of OTP Code detected. Please use new code.".

 

image.thumb.png.0ead3c96f9c6a78386129d942f3a2568.png

 

That is the flow:

image.thumb.png.0712e15c01ad5e688978617bbc032d1c.png

 

First Decision block has the Expression "http.req.cookie.value("NSC_TASS").eq("manageotp")"

Second Decision Block is "AAA.USER.ATTRIBUTE(2).CONTAINS("#@")"

 

I see in nsconmsg -d current  -g _hits | grep "auth", that the flow is working until the last "OTPRegister2", but there  it fails with above message.

When the user do not have an entry in User.Attribute(2) it goes directly to OTPRegister and he can register his device.

Both "OTPRegister" and "OTPRegister2" are identically configured.

 

What could be wrong here?

 

Thanks for help.

 

Link to comment
Share on other sites

Hi Lukas,

 

I‘m not sure if this flow is working fine, I think the trouble exists of broken NSC_TASS Cookie. I am always creating a separate FQDN / AAA vServer only for the nFlow to create or manage OTP Devices. Maybe that’s a possible setup for you, too. Hope this helps.

 

Regards

Julian

Link to comment
Share on other sites

  • 1 month later...

Hello Lukas,

 

in the meantime I had the same requirement and I came across exactly the same error message as your setup. Luckily, I found the solution.

 

In https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/#adcconfigobjects Carl mentioned the three hidden lines in the SingleAuthManageOTP.xml - which activates the /manageotp NSC_TASS Cookie to get access to the Manage-OTP Portal by default:

 

<Requirement><Credential><ID>otpmanage</ID><Type>otpmanage</Type></Credential><Input><Text><Secret>false</Secret><Hidden>true</Hidden><InitialValue>1</InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>pushregister</ID><Type>nsg_registerpush</Type></Credential><Input><Text><Secret>false</Secret><Hidden>true</Hidden><InitialValue>1</InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>otpregister</ID><Type>nsg_registerotp</Type></Credential><Input><Text><Secret>false</Secret><Hidden>true</Hidden><InitialValue>1</InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>

 

And that's the missing point as you're getting "Replay of OTP Code detected. Please use new code" - ADC isn't knowing which page should load after successful login.

 

So I created a OnlyPassword-OTPExternal.xml which looks like your screenshot:

image.thumb.png.4c1577b369ac6be8d4252a2775bddf22.png

 

...but including the three lines for activating the Manage-OTP Page.

 

I hope this helpes anyone stumbling across the "Replay of OTP Code detected. Please use new code" Error-Message.

 

Best Regards

Julian

OnlyPassword-OTPExternal.xml

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...