Enhanced Authentication Feedback introduced since v10.1 is a NetScaler option disabled by default which provides more information to the end user about the reason for an authentication failure. By default when a user authenticates to as an example NetScaler Gateway and fails, the Incorrect user name or password message returned is the only reason NetScaler will give.
The reason could be entirely different though. A disabled account, expired password and restricted logon hours are just some of the reasons a failure could indeed occur. This is why the Enhanced Authentication Feedback option could prove useful to you and the end-user. It may reduce support calls and make it easier for the support team to resolve authentication failures because they will get a more granular reason as to the failures.
On the other hand, a security risk is included when enabling this option. Once this option is enabled it will be easier for an attacker to identify if a user account does not exist for example. It is important to highlight this.
To enable, via CLI run command set aaa param -enableEnhancedAuthFeedback or via GUI navigate to NetScaler Gateway -> Global Settings -> Change authentication AAA settings -> Enable Enhanced Authentication Feedback.
Error codes and a list of supported reasons are given below:
- 4001 – Invalid credentials. Catch-all error from previous versions. (Incorrect credentials. Try again.)
- 4002 – Login not permitted. Catch-all error from previous version. (You do not have permission to log on at this time.)
- 4003 – Server timeout. (Cannot connect to server. Try connecting again in a few minutes.)
- 4004 – System error. (Cannot connect. Try connecting again.)
- 4005 – Socket error talking to authentication server. (Cannot connect. Try connecting again.)
- 4006 – Bad (format) user passed to nsaaad. (Incorrect user name.)
- 4007 – Bad (format) password passed to nsaaad. (Incorrect password.)
- 4008 – Password mismatch (when entering new password). (Passwords do not match.)
- 4009 – User not found. (User not found.)
- 4010 – Restricted login hours. (You do not have permission to log on at this time.)
- 4011 – Account disabled. (Your account is disabled.)
- 4012 – Password expired. (Your password has expired.)
- 4013 – No dial-in permission (RADIUS specific). (You do not have permission to log on.)
- 4014 – Error changing password. (Could not change your password.)
- 4015 – Account locked. (Your account is temporarily locked.)
- 4016 – User password complexity requirement not met when changing password. (Could not update your password. The password must meet the length, complexity, and history requirements of the domain.)
User not found.
How can I change the response codes returned by NetScaler?
Remember the point highlighted above. Enabling Enhanced Authentication Feedback will out of the box return a User not found response if you enter a user name and LDAP can not find that actual user name in Active Directory. This is a security concern. Now, the responses can be changed.
Note: Citrix do not support or assist with this configuration. Perform this modification at your own risk. If you do proceed, make sure to always take a backup before changing a live environment.
Open up WinSCP or similar, browse to and edit the following file:
- NSv11+ – /var/netscaler/logon/themes/default/resources/en.xml
- NSv10.5 – /netscaler/ns_gui/vpn/resources/en.xml
Note: If you have a custom theme, the default portion will be whatever name you had specified during theme creation.
Edit the en.xml file and look for the section shown below.
Change any of the values then save en.xml.
Now as an example, my modified User not found text contains some new information!