Netscaler – Customizing messages when using “Enhanced authentication feedback” with RfWebUI Theme

Some customers want to be able to provide more feedback to users when, for some reason, their logon to Netscaler fails or if the new password they specify during password change does not meet the AD’s password complexity requirements. Citrix has published the article https://support.citrix.com/article/CTX223404 that specifies how you can customize the message strings. However, these customizations do not apply/work if you are using a RfWebUI Theme on your AAA or VPN vServer, and below is how you actually edit these strings (the changes in the article apply only to X1 and Greenbubble themes, as far as I could tell).

The strings are not stored in /var/netscaler/logon/themes/<Name_of_Theme>/resources/en.xml, as specified in the article, but rather in the javascript file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js. Note that this file is not specific for a particular RfWebUI Theme, so any changes will apply to all RfWebUI themes on Netscaler if you have ‘Enable Enhanced authentication feedback’ enabled in Netscaler global settings.

One customer of ours wanted to change the error message that is displayed when the new password specified by the user did not meet AD complexity requirements. By default, the user will just get redirected back to the Netscaler logon page with ‘Incorrect username/password’, which is not really letting the user know what went wrong. So we needed to change this while at the same time not leaking any info about internal users. For example, with default settings of Enhanced Authentication Feedback, a rogue user could try logons with different AD usernames with a (purposefully) incorrect password to find out whether the username specified actually exists in AD (and then once a valid username was found, try bruteforcing the password). Without Enhanced Authentication Feedback, this rogue user would always get “Incorrect username/password” regardless of whether the username existed or not if the password was incorrect.

To achieve above, we needed to change the default error messages returned to always be ‘Incorrect username or password” for all scenarios except for when password complexity was not met. Below are the strings in /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js you need to change to achieve this:

 

The end result is that users now receive below message when password complexity for password change was not met, but they still receive ‘Incorrect user name or password’ for all other scenarios.

Note that above changes will persist through Netscaler reboot, so no need to bother editing rc.netscaler to achieve persistence.

 

 

 

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.