Jump to content
Welcome to our new Citrix community!

Citrix ADC NS13.1 17.42.nc - "Incorrect Password" when user's password has a [SPACE] Character


Recommended Posts

Recently, I configured a Citrix ADC VPX running NS13.1 17.42.nc which has "Traffic Management" :: "Load Balancing" :: "Virtual Servers" setup for LDAPS to various Domain Controllers.  What wasn't found during testing and validation was that if a user has an Active Directory Password with a [SPACE] Character they are unable to authenticate and the ADC returns an "Incorrect Password" response.

 

The ADC is setup with Native OTP using the standard "userParameters" AD Attribute and works perfectly fine for users without a [SPACE] character in their Password.  The Citrix Gateway VPN Virtual Server is configured with a slightly modified nFactorPortalTheme as the nFactor Flow has various login flows for handling multiple domains and Clients IP & Type flows.

 

Given logins work perfectly fine if the user's do not have a [SPACE] character in their password, I'm thinking there is some encoding/decoding issue going on where the ADC is not properly keeping the Password value either when passing through the nFactor Flow or some issue with how the Load Balancing Virtual Server proxies the LDAPS requests.

 

In the nFactor Flow for the "Authentication Login Schema" that does the final Authentication check the following are defined:

Password Expression: AAA.LOGIN.PASSWORD

Password Credential Index: 1

 

Any hints or suggestions on what could be wrong or where to look for helping to deduce the root cause of the issue would be appreciated.

Link to comment
Share on other sites

Referring to the CTX114999 "Troubleshooting Authentication Issues Through ADC or Citrix Gateway with aaad.debug Module"

 

cat aaad.debug shows the account is unable to perform the LDAP Bind with the password provided.

 

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[995]: receive_ldap_user_search_event 0-1561: User search succeeded, attempting user authentication(Bind) for <loginuseraccountname>

/usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[6161]: register_timer 0-1561: setting timer 5559

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2261]: receive_ldap_user_bind_event 0-1561: Got user bind event.

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[448]: ns_ldap_check_result 0-1561: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[486]: ns_ldap_check_result 0-1561: ldap_result found expected result LDAP_RES_BIND

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[310]: ns_show_ldap_err_string 0-1561: LDAP error string: <<80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839>>

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[496]: ns_ldap_check_result 0-1561: LDAP action failed (error 49): Invalid credentials

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[498]: ns_ldap_check_result 0-1561: For user loginuseraccountname, LDAP authentication failed (error 49): Invalid credentials

/usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2294]: receive_ldap_user_bind_event 0-1561: ldap_bind user failed for user loginuseraccountname

Link to comment
Share on other sites

Update 2022-05-09:  Further testing and I've found the [&] Ampersand is character is also NOT allowing users to Authenticate if they have have this character in their password as well.  This leaves me to believe this is an encoding/decoding issue possibly QUERY STRING or for the LDAPS Bind attempt when using the Load Balancing LDAPS Virtual Server for Active Directory LDAPS Querying.  When it comes to other characters I've found the following do not cause any issues (@, !, %).

Link to comment
Share on other sites

15 minutes ago, kwarsonBB said:

Same issue here.

kwarsonBB, what version of Citrix ADC are you running?
I'm trying to figure out if this is an issue with NS13.1 17.42.nc release.

I've see that 13.1-21.50 is out but nothing in the Release Notes makes me think it would fix this issue.
Release Notes for Citrix ADC 13.1-21.50 :: https://docs.citrix.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-21-50.html

Link to comment
Share on other sites

  • 2 weeks later...

Well, I have a Support Case open with Citrix Support.  So far they have not found any specific reason why this would be happen.  They had me try changing a Login Schema AAA.LOGIN.PASSWORD to AAA.USER.PASSWD at one point, but that basically broke Authentication as it isn't to that point where the AAA.USER.PASSWD has a value as it hasn't Authenticated at this point in the "nFactor Flow" that is being used.

Link to comment
Share on other sites

Hi Jeffrey,

 

Have you tried, when using a custom schema and password attribute index, to reference via AAA.USER.ATTRIBUTE()? Maybe it's also worth trying to write whatever is in the AAA.LOGIN.PASSWORD and/or AAA.USER.ATTRIBUTE to the log so you can see how it stores the password (e.g. is it missing the special characters or smth?). I think you could do this with a NOOP responder policy bound to the authentication vserver which then has a logaction to output the values. I'm sure you already realise this, but don't do this on your production setup of course ?. Adding custom logging requires some additional steps which are outlined in https://support.citrix.com/article/CTX200908.

Edited by Gunther De Poortere
Additional info
Link to comment
Share on other sites

Yes, when the "nFactor Flow" makes it past the OTP check and then to the Authentication Policy it has a Schema attached with;

Password Expression: AAA.LOGIN.PASSWORD

Password Credential Index: 1

[Check] Enable Single Sign On Credentials

 

I'm a slightly wondering if it could be something to deal with the AD "Search Filter" I have defined as I check for a Security Group Membership.

Search Filter (Example):  memberOf=CN=My_Security_Group,OU=Groups,DC=example,DC=com
I'm thinking the ADC takes the "Other Settings" to generate the LDAPS Query if it isn't encoding the values appropriately.

 

I'll look into the custom logging you mention and see about a Development ADC to test with.

Thanks for your input!

 

Link to comment
Share on other sites

So once your schema hits and the user enters his password, you could reference it in a policy expression with AAA.USER.ATTRIBUTE(1).

 

Regarding the search filter, that just narrows the scope of the LDAP search as far as I know (in your case the user needs to be a member of that 'My_Security_Group' directly, if not it will not find the account) so that would be strange if that's the reason, but hey, you never know of course.

Link to comment
Share on other sites

  • 1 month later...

I've had this issue with various special characters (§ ß ° for example) and somewhere I found, that NetScaler has issue with certain special characters regarding the escape of those characters. Im not sure if that's true, but I just stick to tell user to avoid using these characters. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...