Citrix Netscaler (ADC) Email OTP

[Tom Swift]

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/email-otp.html

 

After following the above article we almost got it working, at least we think.  Before adding the email section we at least were able to enter username and password and get to an Email Registration screen.  Nothing we entered there worked.  After adding the #Email section via the CLI we just immediately get a cannot complete your request after entering username and password.  Also, does someone know if another field in Active Directory, other then userParameters can be used because we were also wanting to use NFACTOR and it uses the same field.

 

#Create OTP Virtual Server
add authentication vserver EMAIL_AUTH_VSERVER SSL 0.0.0.0
bind ssl vserver EMAIL_AUTH_VSERVER -certkeyName SSL
add authentication authnProfile EMAIL_authnprofile -authnVsName EMAIL_AUTH_VSERVER
unbind vpn vserver VirtualServer -policy LDAP_Pol
set vpn vserver VirtualServer -authnProfile EMAIL_authnprofile

bind authentication vserver EMAIL_AUTH_VSERVER -portaltheme RfWebUI
bind vpn global -userDataEncryptionKey SSL

add authentication ldapAction ldap -serverIP 192.168.20.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName samAccountName
add authentication Policy ldap -rule true -action ldap

add authentication ldapAction ldap_email_registration -serverIP 192.168.20.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName samAccountName -KBAttribute userParameters -alternateEmailAttr userParameters
add authentication Policy ldap_email_registration -rule true -action ldap_email_registration

add authentication loginSchema onlyEmailRegistration -authenticationSchema /nsconfig/loginschema/LoginSchema/AltEmailRegister.xml
add authentication policylabel email_Registration_factor -loginSchema onlyEmailRegistration
bind authentication policylabel email_Registration_factor -policyName ldap_email_registration -priority 1 -gotoPriorityExpression NEXT

bind authentication vserver EMAIL_AUTH_VSERVER policy ldap -priority 1 -nextFactor email_Registration_factor -gotoPriorityExpression NEXT

#EMAIL
add authentication emailAction email -userName mailbox@mycorp.com -password Password987! -encryptmethod ENCMTHD_3 -serverURL "smtps://smtp.office365.com:25" -content "OTP is $code" -defaultAuthenticationGroup emailgrp -emailAddress "aaa.user.attribute(\"alternate_mail\")"
add authentication Policy email -rule true -action email

add authentication policylabel email_Validation_factor
bind authentication policylabel email_Validation_factor -policyName email -priority 1 -gotoPriorityExpression NEXT

bind authentication vserver EMAIL_AUTH_VSERVER -policy ldap -priority 1 -nextFactor email_Validation_factor -gotoPriorityExpression NEXT

[Jeff Riechers]

I think this is an issue with office 365 smtp.  I am getting the same issue, and don't get a 250-Auth request in the telnet test.

 

I am going to setup an SMTP relay box on my network, and see if that can be connected to for OTP email to office 365.

[Simon Kaeppeli]

Any update on this? One of my customers would like to use Email OTP and somehow I have a bad feeling about doing this with Exchange Online ;) Even though we would go with Port 587..