Posted in : Citrix, NetScaler, Security By Rasmus Kindberg Translate with Google ⟶

4 years ago

Some customers want to be able to provide more feedback to users when, for some reason, their logon to Netscaler fails or if the new password they specify during password change does not meet the AD’s password complexity requirements. Citrix has published the article https://support.citrix.com/article/CTX223404 that specifies how you can customize the message strings. However, these customizations do not apply/work if you are using a RfWebUI Theme on your AAA or VPN vServer, and below is how you actually edit these strings (the changes in the article apply only to X1 and Greenbubble themes, as far as I could tell).
The strings are not stored in /var/netscaler/logon/themes/<Name_of_Theme>/resources/en.xml, as specified in the article, but rather in the javascript file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js. Note that this file is not specific for a particular RfWebUI Theme, so any changes will apply to all RfWebUI themes on Netscaler if you have ’Enable Enhanced authentication feedback’ enabled in Netscaler global settings.
One customer of ours wanted to change the error message that is displayed when the new password specified by the user did not meet AD complexity requirements. By default, the user will just get redirected back to the Netscaler logon page with ’Incorrect username/password’, which is not really letting the user know what went wrong. So we needed to change this while at the same time not leaking any info about internal users. For example, with default settings of Enhanced Authentication Feedback, a rogue user could try logons with different AD usernames with a (purposefully) incorrect password to find out whether the username specified actually exists in AD (and then once a valid username was found, try bruteforcing the password). Without Enhanced Authentication Feedback, this rogue user would always get ”Incorrect username/password” regardless of whether the username existed or not if the password was incorrect.
To achieve above, we needed to change the default error messages returned to always be ’Incorrect username or password” for all scenarios except for when password complexity was not met. Below are the strings in /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js you need to change to achieve this:

Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4002:"You do not have permission to log on."
To
errorMessageLabel4002:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4003:"Cannot connect to server. Try connecting again in a few minutes."
To
errorMessageLabel4003:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4004:"Cannot connect. Try connecting again."
To
errorMessageLabel4004:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4005:"Cannot connect. Try connecting again."
To
errorMessageLabel4005:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4006:"Incorrect user name."
To
errorMessageLabel4006:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4007:"Incorrect password."
To
errorMessageLabel4007:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4009:"User not found."
To
errorMessageLabel4009:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4010:"You do not have permission to log on at this time."
To
errorMessageLabel4010:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4011:"Your account is disabled."
To
errorMessageLabel4011:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4013:"You do not have permission to log on."
To
errorMessageLabel4013:"Incorrect user name or password."
Open file /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js
errorMessageLabel4015:"Your account is temporarily locked."
To
errorMessageLabel4015:"Incorrect user name or password."

 
The end result is that users now receive below message when password complexity for password change was not met, but they still receive ’Incorrect user name or password’ for all other scenarios.
Note that above changes will persist through Netscaler reboot, so no need to bother editing rc.netscaler to achieve persistence.

 
 
 

Tags : Enhanced Authentication Feedback, NetScaler, RfWebUI, Security

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.