Citrix ADC Self-Service Password Reset

Self-service password reset (SSPR) is a feature introduced in Citrix ADC firmware 12.1.50.28. This feature grants users the ability to reset their own Active Directory passwords securely, from remote locations.

There is also an alternative self-service password reset feature that caters for internal users, not to be confused by ADC self-service password reset. The on-premises solution integrates with StoreFront and was first released in XenApp & XenDesktop 7.8. The configuration article for that feature is documented here.

Since the initial release of the on-premises self-service password reset, customers have asked for the same password reset capabilities to be available remotely, wherever the user was in the world. This has now been made via the 12.1.50.28 version of Citrix ADC. The feature is built on-top of the nFactor authentication engine.

Contents:

1. Requirements:

  • Active Directory domain functional level of 2008, 2012 or 2016 required.
  • nFactor authentication flow is the only way to configure SSPR.
    • Registration is supported only through a web browser.
  • An ADC Advanced (formerly NetScaler Enterprise) license is required at a minimum.
  • AAA (Authentication, authorisation, and accounting) vServer required.
  • An Active Directory attribute is required to store the encrypted registration information.
    • The LDAP bind account must have write permission to the chosen attribute.
    • The chosen attribute must support at least 128 characters and have a maximum value length of 32k.

Note: In this article, I have chosen userParameters as the attribute that will store knowledge-based authentication (KBA) and alternative email values. This article also assumes you are using a Gateway virtual server as part of your remote access offering to corporate users.

2. Configure SSPR

 

Scenario: Corporate users who wish to register for SSPR can do so by browsing to provisioned URL: https://unifiedgateway.jgspiers.com/register. This URL is accessible from anywhere in the world, and in a production environment will be configured with multiple factors of authentication.

Connect to the CLI of ADC and run command bind vpn global -userDataEncryptionKey unifiedgateway.jgspiers.com. Replace the unifiedgateway.jgspiers.com value with the name of your own certificate that is installed on ADC. Note, the key size of the certificate must be 1024 bits. There is a current bug in the 12.1.50.28 firmware that does not allow a larger key size to be used with SSPR. This is resolved in 12.1.51.16.

Edit your Gateway virtual server.

Make sure that no Basic Authentication policies are bound. We are using nFactor, so must use an AAA virtual server for authentication.

Navigate to Citrix Gateway -> Policies -> Authentication -> LDAP -> Servers -> Add.

Create an LDAP server as you normally would, similar to below. Name it SSPR-LDAP-Pol.

You will notice that two new fields have been added. Under KB Attribute and Alternate Email enter userParameters. If you have chosen another not-in-use attribute, enter that instead. Click Create.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy -> Add.

Enter the below information:

Name = SSPR-LDAP-Pol

Action Type = LDAP

Action = SSPR-LDAP-Pol

Expression = HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).CONTAINS(“register”)

Click Create.

Navigate to Security -> AAA – Application Traffic -> Login Schema -> Profiles -> Add KBA Registration Login Schema.

Enter name SSPR-Registration-Schema. You now have the option of choosing up to four System Defined Questions. You can pick and choose what questions you want to make available to users, and they will be presented in a drop-down fashion during registration. If you configure two questions for example, then users are only required to pick two questions of their choice and provide answers to them.

You can also choose to allow a maximum of two User Defined Questions. This allows users to pick their own questions and provide answers to them, in conjunction with the System Defined Questions.

Optionally, you can also select the Register Alternate Email checkbox. If selected, users during KBA registration will be prompted for an email address, which is stored in the attribute you specified during LDAP server creation. This feature is for added security. Users who are resetting their password will not only have to answer the security questions but complete an OTP (one-time password) validation before their password reset is successful.

Click Create.

System defined questions are found under /nsconfig/loginschema/LoginSchema/KBQuestions.json. If you want to modify or add your own questions to this list, you can do so here.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> PolicyLabel -> Add.

Enter the below information:

Name = SSPR-PolicyLabel

Login Schema = SSPR-Registration-Schema

Click Continue.

Click Click to select.

Select LDAP policy SSPR-LDAP-Pol. Click Select.

Set Goto Expression to END. Click Bind.

Click Done.

Navigate to Security -> AAA – Application Traffic -> Virtual Servers -> Add.

Enter the below information:

Name = AAA-vServer

IP Address Type = Non Addressable

Click OK.

Click No Server Certificate.

Click Click to select.

Select the same certificate that is used on your Gateway virtual server. Click Select.

Click Bind.

Click Continue.

Click No Authentication Policy.

Click Click to select.

Select LDAP policy SSPR-LDAP-Pol. Click Select.

Click Click to select under Select Next Factor.

Select Policy Label SSPR-PolicyLabel. Click Select.

Click Bind.

Click Continue.

Click Done.

Navigate to Security -> AAA – Application Traffic -> Authentication Profile -> Add.

Enter the below information:

Name = AAA-Auth-Profile

Choose Virtual Server Type = Authentication Virtual Server

Click Click to select.

Select virtual server AAA-vServer. Click Select.

Click Create.

Navigate to Citrix Gateway -> Virtual Servers and edit your Gateway virtual server.

Under Authentication Profile, using the drop-down, select AAA-Auth-Profile. Click OK followed by Done.

3. Register as a user for SSPR (URL method)

Now that the configuration is complete, you can have users register with SSPR.

Open a web browser and navigate to your Gateway URL, with /register appended to the URL.

Enter your username and password. Click Log On. In a production environment, you will have multiple factors of authentication.

The KBA Registration page is displayed. The page is made up of System/User Defined questions and an alternate email ID.

You can use the drop-down boxes to select which questions you want to provide answers to as part of your KBA Registration. The questions available are the ones you configured in the earlier step when creating a KBA Registration Login Schema.

When finished selecting and answering questions, and providing an alternate email ID, click Submit. You will be passed through to Gateway.

When reviewing AAA authentication logs, a kba registered successfully message is generated.

The userParameters attribute in Active Directory is populated with an encrypted value.

4. Configure SSPR enforcement for unregistered users (attribute method)

In the case you want to force users to register for SSPR, you can do so by having ADC evaluate if a user has previously registered. If no registration has been recorded, force the user to register before allowing them access to Gateway.

Scenario: Corporate users access Gateway remotely. If they are not found to have registered with SSPR, they are forced to do so before being allowed to access Gateway resources.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy -> Add.

Enter the below information:

Name = LDAP_AllUsers

Action Type = LDAP

Action = SSPR-LDAP-Pol (created from previous step)

Expression = true

Click Create.

Create a second authentication policy. Enter the below information:

Name = SSPR-ForceRegister-NOAUTH

Action Type = NO_AUTHN

Expression = AAA.USER.ATTRIBUTE(“kba_registered”).NE(“1”)

Click Create.

Create a third authentication policy. Enter the below information:

Name = NOAUTH-Continue

Action Type = NO_AUTHN

Expression = true

Click Create.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> PolicyLabel -> Add.

Enter the below information:

Name = noschema-SSPR

Login Schema = LSCHEMA_INT

Click Continue.

Click Click to select.

Select SSPR-ForceRegister-NOAUTH. Click Select.

Set the Priority to 50. Under Select Next Factor, click Click to select.

Select SSPR-PolicyLabel (created in a previous step). Click Select.

Click Bind.

Click Add Binding.

Click Click to select.

Select Authentication Policy NOAUTH-Continue. Click Select.

Set Goto Expression to END. Click Bind.

Confirm your Policy Label has authentication policies bound as below. Click Done.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy and make sure the SSPR-LDAP-Pol policy has an expression of true. It may have a different expression if you have followed on from previous steps.

Navigate to Security -> AAA – Application Traffic -> Virtual Servers and edit your AAA virtual server.

Click No Authentication Policy. If you already have an authentication policy bound, unbind it for the purpose of this demonstration.

Click Click to select.

Select LDAP_AllUsers. Click Select.

Under Select Next Factor click Click to select.

Select noschema-SSPR. Click Select.

Click Bind.

Click Done.

In this scenario, there are two users: User1, User2.

User1 has not previously registered with SSPR.

User2 has previously registered with SSPR.

If User1 attempts to connect to Gateway, during authentication, ADC detects this user has not yet registered with SSPR.

The KBA Registration page is displayed to User1.

If User2 attempts to connect to Gateway, during authentication, ADC detects this user has registered with SSPR.

User2 is passed through to Gateway.

ns.log shows that during the authentication of User2, the user has already registered with SSPR.

5. Configure SSPR password reset

With the above configuration in place that forces users to register if they have not done so already, we will build on that to add in password reset capabilities.

Scenario: Corporate user requests to reset their password. ADC validates the user by asking them to complete KBA validation and then enter an OTP code that is sent to the email address they defined during KBA validation.

Note: Email/OTP validation is optional but advised for better security.

Navigate to Security -> AAA – Application Traffic -> Login Schema -> Profiles -> Add.

Enter name SSPR-PWReset-LoginSchema. You have three pre-built password reset Login Schemas available for use:

DualAuthPasswordResetRem.xml

OnlyUsernamePasswordReset.xml

SingleAuthPasswordResetRem.xml

For the purpose of this article, we will use the SingleAuthPasswordRem.xml Login Schema. Select it from the list and click Select.

Click Create.

Click on the Policies tab and then click Add.

Enter the below information:

Name = SSPR-PWReset-LoginSchema

Profile = SSPR-PWReset-LoginSchema

Rule = true

Click Create.

Navigate to Security -> AAA – Application Traffic -> Policies – >Authentication -> Advanced Policies -> Actions -> LDAP -> Add.

Create an LDAP server as you normally would, similar to below, only uncheck Authentication. Name the policy SSPR-Reset-AuthOff.

Under KB Attribute and Alternate Email enter userParameters. If you have chosen another not-in-use attribute, enter that instead. Click Create.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Actions -> EMAIL -> Add.

Enter the below information:

Name = SSPR-Email-Action

Username = The email address you will send OTP emails from

Password = The password to that account, for authentication to your SMTP server

Server URL = Your SMTP server URL and port to connect on

Content = Your OTP is $code

Email Address = aaa.user.attribute(“alternate_mail”)

Click Create.

Connect to the CLI of ADC and run command add authentication policy SSPR-Email-Validation -rule true -action SSPR-Email-Action

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy -> Add.

Enter the below information:

Name = SSPR-Reset-AuthOff

Action Type = LDAP

Action = SSPR-Reset-AuthOff

Expression = aaa.LOGIN.VALUE(“passwdreset”).EQ(“1”)

Click Create.

Create a second authentication policy.

Enter the below information:

Name = SSPR-Reset-AuthOff2

Action Type = LDAP

Action = SSPR-Reset-AuthOff

Expression = true

Click Create.

Navigate to Security -> AAA – Application Traffic -> Authentication -> Advanced Policies -> PolicyLabel -> Add.

Enter the below information:

Name = SSPR-Reset-PWReset

Login Schema = LSCHEMA_INT

Click Continue.

Click Click to select.

Select policy SSPR-Reset-AuthOff2, click Select.

Set Goto Expression to END. Click Bind.

Click Done.

Create a second Policy Label.

Enter the below information:

  1. Name = SSPR-Reset-Email
  2. Login Schema = LSCHEMA_INT

Click Continue.

Under Select Policy, select authentication policy SSPR-Email-Validation.

Under Select Next Factor, select Policy Label SSPR-Reset-PWReset.

Click Bind.

Click Done.

Create a third Policy Label.

Enter the below information:

Name = SSPR-Reset-KBA

Login Schema = LSCHEMA_INT

Click Continue.

Under Select Policy, select authentication policy SSPR-Reset-AuthOff.

Under Select Next Factor, select Policy Label SSPR-Reset-Email.

Click Bind.

Click Done.

Navigate to Security -> AAA – Application Traffic -> Virtual Servers. Edit your AAA virtual server.

Click No Login Schema under Login Schemas.

Click Click to select.

Select authentication policy SSPR-PWReset-LoginSchema. Click Select.

Click Bind.

Click 1 Authentication Policy.

Click Add Binding.

Click Click to select.

Select authentication policy SSPR-Reset-AuthOff. Click Select.

Set the Priority to 50. Click Click to select under Select Next Factor.

Select Policy Label SSPR-Reset-KBA. Click Select.

Click Bind.

Click Close.

Click Done.

6. Reset password as a user

Open a web browser and navigate to your Gateway URL. Enter your user name in the User name field and click on the Forgot Password link.

Your user name is carried through from the previous factor. Click Submit.

You will be challenged by two questions that you chose during KBA registration. Enter the answers and click Log On.

You are next challenged to enter your OTP. This will be sent to the email address you provided during KBA registration.

Copy the OTP code from the email you received.

Enter the OTP code into the Enter OTP from Email field. Click Log On.

If the OTP code is correct, you will be given the option to change your password. Specify a new password and click Submit.

The password reset is complete.

7. CLI commands – Force registration via attribute, and password reset with email verification -configuration

The following is assumed to be already in place:

  • AAA virtual server
  • AAA Authentication Profile
  • Gateway virtual server
  • SSPR KBA Login Schema (SSPR-Registration-Schema.xml)
add authentication loginSchema SSPR-Registration-Schema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SSPR-Registration-Schema.xml"

add authentication loginSchema SSPR-PWReset-LoginSchema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"

add authentication loginSchemaPolicy SSPR-PWReset-LoginSchema -rule true -action SSPR-PWReset-LoginSchema

add authentication ldapAction SSPR-LDAP-Pol -serverIP 192.168.1.101 -serverPort 636 -ldapBase "DC=JGSPIERS,DC=COM" -ldapBindDn ldapsvc@jgspiers.com -ldapBindDnPassword -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication ENABLED -KBAttribute userParameters -alternateEmailAttr userParameters

add authentication ldapAction SSPR-Reset-AuthOff -serverIP 192.168.1.101 -serverPort 636 -authTimeout 3 -ldapBase "DC=JGSPIERS,DC=COM" -ldapBindDn ldapsvc@jgspiers.com -ldapBindDnPassword -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication DISABLED -KBAttribute userParameters -alternateEmailAttr userParameters

add authentication Policy SSPR-Reset-AuthOff -rule aaa.LOGIN.VALUE("passwdreset").EQ("1") -action SSPR-Reset-AuthOff

add authentication Policy SSPR-Reset-AuthOff2 -rule true -action SSPR-Reset-AuthOff

add authentication emailAction SSPR-Email-Action -userName george@jgspiers.com -password Password -serverURL "smtps://smtp-relay.gmail.com:587" -content "Your OTP is $code" -timeout 30 -type SMTP -emailAddress aaa.user.attribute("alternate_mail")

add authentication policy SSPR-Email-Validation -rule true -action SSPR-Email-Action

add authentication policylabel SSPR-Reset-KBA -loginSchema LSCHEMA_INT

add authentication Policy LDAP_AllUsers -rule true -action SSPR-LDAP-Pol

add authentication Policy SSPR-LDAP-Pol -rule true -action SSPR-LDAP-Pol

add authentication Policy SSPR-ForceRegister-NOAUTH -rule "AAA.USER.ATTRIBUTE(\"kba_registered\").NE(\"1\")" -action NO_AUTHN

add authentication Policy NOAUTH-Continue -rule true -action NO_AUTHN

add authentication policylabel noschema-SSPR -loginSchema LSCHEMA_INT

add authentication policylabel SSPR-PolicyLabel -loginSchema SSPR-Registration-Schema

add authentication policylabel SSPR-Reset-PWReset -loginSchema LSCHEMA_INT

add authentication policylabel SSPR-Reset-Email -loginSchema LSCHEMA_INT

bind vpn global -userDataEncryptionKey unifiedgateway.jgspiers.com

bind authentication policylabel SSPR-PolicyLabel -policyName SSPR-LDAP-Pol -priority 100 -gotoPriorityExpression END

bind authentication policylabel noschema-SSPR -policyName SSPR-ForceRegister-NOAUTH -priority 50 -gotoPriorityExpression NEXT -nextFactor SSPR-PolicyLabel

bind authentication policylabel noschema-SSPR -policyName NOAUTH-Continue -priority 100 -gotoPriorityExpression END

bind authentication vserver AAA-vServer -policy LDAP_AllUsers -priority 100 -nextFactor noschema-SSPR -gotoPriorityExpression NEXT

bind authentication policylabel SSPR-Reset-PWReset -policyName SSPR-Reset-AuthOff2 -priority 100 -gotoPriorityExpression END

bind authentication policylabel SSPR-Reset-Email -policyName SSPR-Email-Validation -priority 100 -gotoPriorityExpression NEXT -nextFactor SSPR-Reset-PWReset

bind authentication policylabel SSPR-Reset-KBA -policyName SSPR-Reset-AuthOff -priority 100 -gotoPriorityExpression NEXT -nextFactor SSPR-Reset-Email

bind authentication vserver AAA-vServer -policy SSPR-PWReset-LoginSchema -priority 100

bind authentication vserver AAA-vServer -policy SSPR-Reset-AuthOff -priority 50 -nextFactor SSPR-Reset-KBA -gotoPriorityExpression NEXT

8. CLI commands – Force registration via attribute, and password reset without email verification -configuration

The following is assumed to be already in place:

  • AAA virtual server
  • AAA Authentication Profile
  • Gateway virtual server
  • SSPR KBA Login Schema (SSPR-Registration-Schema.xml)
add authentication loginSchema SSPR-Registration-Schema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SSPR-Registration-Schema.xml"

add authentication loginSchema SSPR-PWReset-LoginSchema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"

add authentication loginSchemaPolicy SSPR-PWReset-LoginSchema -rule true -action SSPR-PWReset-LoginSchema

add authentication ldapAction SSPR-LDAP-Pol -serverIP 192.168.1.101 -serverPort 636 -ldapBase "DC=JGSPIERS,DC=COM" -ldapBindDn ldapsvc@jgspiers.com -ldapBindDnPassword -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication ENABLED -KBAttribute userParameters -alternateEmailAttr userParameters

add authentication ldapAction SSPR-Reset-AuthOff -serverIP 192.168.1.101 -serverPort 636 -authTimeout 3 -ldapBase "DC=JGSPIERS,DC=COM" -ldapBindDn ldapsvc@jgspiers.com -ldapBindDnPassword -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication DISABLED -KBAttribute userParameters -alternateEmailAttr userParameters

add authentication Policy SSPR-Reset-AuthOff -rule aaa.LOGIN.VALUE("passwdreset").EQ("1") -action SSPR-Reset-AuthOff

add authentication Policy SSPR-Reset-AuthOff2 -rule true -action SSPR-Reset-AuthOff

add authentication policylabel SSPR-Reset-KBA -loginSchema LSCHEMA_INT

add authentication Policy LDAP_AllUsers -rule true -action SSPR-LDAP-Pol

add authentication Policy SSPR-LDAP-Pol -rule true -action SSPR-LDAP-Pol

add authentication Policy SSPR-ForceRegister-NOAUTH -rule "AAA.USER.ATTRIBUTE(\"kba_registered\").NE(\"1\")" -action NO_AUTHN

add authentication Policy NOAUTH-Continue -rule true -action NO_AUTHN

add authentication policylabel noschema-SSPR -loginSchema LSCHEMA_INT

add authentication policylabel SSPR-PolicyLabel -loginSchema SSPR-Registration-Schema

add authentication policylabel SSPR-Reset-PWReset -loginSchema LSCHEMA_INT

bind vpn global -userDataEncryptionKey unifiedgateway.jgspiers.com

bind authentication policylabel SSPR-PolicyLabel -policyName SSPR-LDAP-Pol -priority 100 -gotoPriorityExpression END

bind authentication policylabel noschema-SSPR -policyName SSPR-ForceRegister-NOAUTH -priority 50 -gotoPriorityExpression NEXT -nextFactor SSPR-PolicyLabel

bind authentication policylabel noschema-SSPR -policyName NOAUTH-Continue -priority 100 -gotoPriorityExpression END

bind authentication vserver AAA-vServer -policy LDAP_AllUsers -priority 100 -nextFactor noschema-SSPR -gotoPriorityExpression NEXT

bind authentication policylabel SSPR-Reset-PWReset -policyName SSPR-Reset-AuthOff2 -priority 100 -gotoPriorityExpression END

bind authentication policylabel SSPR-Reset-KBA -policyName SSPR-Reset-AuthOff -priority 100 -gotoPriorityExpression NEXT -nextFactor SSPR-Reset-PWReset

bind authentication vserver AAA-vServer -policy SSPR-PWReset-LoginSchema -priority 100

bind authentication vserver AAA-vServer -policy SSPR-Reset-AuthOff -priority 50 -nextFactor SSPR-Reset-KBA -gotoPriorityExpression NEXT

Tags: , , , ,

76 Comments

  • Carl Stalhood

    January 24, 2019

    Hi George, are you able to attach the full list of CLI commands that you used to configure this feature? Thanks.

    Reply

    • George Spiers

      January 24, 2019

      Hi Carl, see section 7.

      Reply

  • Victor Fuenmayor

    January 28, 2019

    George, do you have the BUG ID for BUG mentioned in Section 2?
    “There is a current bug in the 12.1.50.28 firmware that does not allow a larger key size to be used with SSPR.”
    I need to find out when this is fixed.

    Reply

    • George Spiers

      January 29, 2019

      The release notes of 50.31 has this bug mentioned and below the bug appears “NSAUTH-5342”. Don’t think that is of any use. There is no actual bug number listed. I was told it would be fixed in February.

      Reply

  • Pingback: EUC Weekly Digest – February 2, 2019 – Carl Stalhood

  • Steve Haugh

    March 5, 2019

    Hi George, Can you run SSPR with the OTP for 2FA function on the NS?

    Reply

    • George Spiers

      March 7, 2019

      Sure you can, just make sure that OTP and SSPR use different AD attributes.

      Reply

    • Sean

      December 22, 2021

      Hello George,
      I know this an old post, but I would really appreciate if you can show us how to implement sspr and 2fa. I have contacted Citrix on multiple occasions regarding this implementation and they all tell me it cannot be done. Can you please proof them wrong.
      Best,
      Sean

      Reply

  • Pingback: nFactor Authentication – NetScaler Gateway 12 / Citrix Gateway 12.1 – Carl Stalhood

  • John Carmody

    March 22, 2019

    Hi George i get to the step 6 put my user name in and click forget password and confirm username. I get then asked the security questions which i complete but after clicking on logon i then get a cannot complete your request error and can go no further

    “You are next challenged to enter your OTP. This will be sent to the email address you provided during KBA registration” <<< I dont get this i get the cannot complete your request error

    i have checked the delivery services log on my storefront server and no errors in there any ideas?

    Reply

    • George Spiers

      March 24, 2019

      I would just double check your authentication policy and Login Schema bindings to make sure they are correct. Also, upgrade to at least build 12.1.51.16, and make sure you have ran command “bind vpn global -userDataEncryptionKey yourcertname” without the quotation marks. You can also enable syslog debugging on ADC and check those for any hints.

      Reply

  • Leanid

    March 27, 2019

    I am trying to make it work for Citrix XenApp. I have working Gateway configuration for XenApp Virtual Server. I have upgraded Netscaler to 12.1.51.16.nc
    When I remove basic authentication and add Authentication profile all requests to my sites get redirected to this URL: https://mysite.com/logon/LogonPoint/tmindex.html (before I had https://mysite.com/vpn/index.html)
    even if I type https://mysite.com/register it get redirected to above URL /logon/LogonPoint/tmindex.html. And entering user credential just shows error: “No Active policy during authentication”.
    What am I missing?

    Reply

    • George Spiers

      April 2, 2019

      No active policy normally means you either have no authentication policy bound to your AAA vServer, or the expression used is incorrect and is not evaluating to true.

      Reply

  • Sunny

    March 29, 2019

    Great Articles, thanks very much, George!
    Need some clarifications:
    Does “external users” refer to domain users accessing StoreFront published app over the Internet via NetScaler Gateway?

    If yes,
    Do we need to setup both SSPR for NetScaler and SSPR for VirtualApp to allow “external users” to reset password over the Internet?

    If no,
    Which SSPR should we setup to enable this function for these users? SSPR for NetScaler or SSPR for VirtualApp?

    Reply

    • George Spiers

      April 2, 2019

      SSPR for NetScaler is what you need for remote users. It is also possible for internal users to route to the same Gateway and use the same SSPR, but some organisations place the Gateway in DMZ and do not allow such internal routing, in which case SSPR for Virtual Apps and Desktops is required.

      Reply

      • Anonymous

        April 2, 2019

        Thanks so much, George!
        Our NetScaler Gateway is located in the DMZ. Thus, we will give SSPR for Virtual Apps and Desktops a go. Really appreciate your comment!

        Reply

  • Sunny Ko

    April 2, 2019

    Thanks so much, George!
    Our NetScaler Gateway is located in the DMZ. Thus, we will give SSPR for Virtual Apps and Desktops a go. Really appreciate your comment!

    Reply

  • Leanid

    April 8, 2019

    I have manage to implement nFactor. I used Stan Demburg (https://www.irangers.com/netscaler-native-otp-limit-enrollment-one-device) approach. Modified it a bit to add OTP to /manageOTP (for users with registered devices). I used your article to add KBA password reset (I also protected it with OTP). nFactor works fine. It did get a bit complicated.
    At my login page I have 3 extra link one /manageotp, /register and “Forgot password”.
    But main problem is NSC_TASS cookie.
    I actually have 2 problem with it.
    Problem 1) When user login to main site (StoreFront) and logoff. It presented with Logon button. When user click on it NSC_TASS cookie get set to NSC_TASS=/Citrix/MyStoreFront/login.aspx
    Now if I click any of my links /manageotp, /register not working. Since NSC_TASS is not getting reset to manageotp or /register. Browser restart needed.

    Problem 2) When user restart browser he can get into /manageotp or /register. Cookie get set NSC_TASS=/register. But if user decided to abandon this registration he gets stuck. No Cancel button, no NSC_TASS cookie reset. Only way out is re-start Browser. This is bad user experience and probably support call.

    I am probably looking for 2 solutions. I hope someone have implemented it already.
    1) Modify /register /manageotp and if possible “Forgot Password” links to make sure NSC_TASS properly set or old one cleared. I guess some custom java script needed for it.
    2) Provide “Cancel” button to each nFactor Login schema. That can reset cookie. Similar like “Log off” button does at /manageotp page.

    Or any other solutions to clear NSC_TASS so user don’t get stuck in nFactor and have to restart Browser. I have feeling if I go live with current cookie issue our support will go crazy trying telling clients to restart browsers.

    Reply

    • Leanid

      April 15, 2019

      I have resolved my NSC_TASS cookie issue with multiple solutions.
      1) Added global responder policy to reset NSC_TSCC cookie when referrer is StoreFront. This allows me to go back to manageotp or /register after user logoff from StoreFront.
      2) Added Cancel button to all nFactor auth forms This was a bit difficult. Had to make custom button with java scripts. In short I had to add element of input type=submit with action /nf/auth/doLogoff.do to cancel default submit form action.
      And added cookie NSC_TASS_CLEAR=yes when this button is clicked.
      3) Then at netscaler global responder policy I capture this NSC_TASS_CLEAR cookie and reset NSC_TASS. I had to do this because original NSC_TASS cookie has HttpOnly flag and is not available for javascript manipulations.
      4) Added some css to make Cancel button look flat.

      Reply

  • Morten Kallesøe

    May 14, 2019

    I think there is a inconsistency with the attribute field you have configured(userParameters) and the one in your no_authn policy(kba_registered)

    i’ve not doubled checked it, but from the looks of it, it wont work, unless magic is going on.

    Reply

    • George Spiers

      May 16, 2019

      No, that is normal. kba_registered is simply an AAA attribute.

      Reply

      • Morten

        May 17, 2019

        And this KEY/VALUE(AAA.USER.ATTRIBUTE(“kba_registered”) gets a value based on the information retrieved on the LDAP Action? it makes sense, but for the visbile eye its hard to see.

        Reply

        • George Spiers

          May 17, 2019

          kba_registered is an internal attribute (in ADC) that the ADC uses to check if a user is registered or not.

          Reply

  • Z Sheikh

    May 16, 2019

    Great Article, thanks very much, George!

    Do you know if its possible to have SSPR work without an alternate email or to restrict the alternate email to a specific domain?

    Reply

    • Anonymous

      May 16, 2019

      hey Z.
      you dont need to use alternate email, and i would believe that restricting the domain is possible.

      Reply

      • Zishan Sheikh

        May 16, 2019

        If alternate email is not used is the option to change password simply provided after answering the questions correctly?

        Reply

        • George Spiers

          May 16, 2019

          Yes correct.

          Reply

  • Tiago

    May 20, 2019

    George, is it also possible to unlock account like we can do via Self-Service Password Reset (on-prem with Storefront)?

    Reply

    • George Spiers

      May 27, 2019

      No this is strictly only for password resets.

      Reply

  • Pingback: nFactor Authentication – Citrix Gateway 13 – Carl Stalhood

  • Duncan

    June 11, 2019

    Hi George, Great Article, just a question on top of Zishan’s question do you still setup the same way if you werent using the alternate email option

    Reply

    • George Spiers

      June 16, 2019

      Yes, just leaving out the email verification/regsitration parts.

      Reply

      • Duncan Brown

        June 19, 2019

        Hi George
        I tried that but it now just goes straight through to resetting password without answering security questions which is a bit of a worry. What am i missing !!!

        thanks

        Reply

        • George Spiers

          June 20, 2019

          Create a new Login Schema but leave “Register Alternate Email” unchecked. Register a new user and make sure it doesn’t ask you for an Alternate Email Id. Once registration is complete, verify the userParameters AD attribute is populated. Don’t bind an EMAIL action/policy to the AAA vServer. Do not create the SSPR-Reset-Email Policy Label.

          Reply

  • Anonymous

    June 20, 2019

    Hi George

    Ok so can i just clarify if i dont do the EMail policy label, then what do i do with the third policy (SSPR-Reset-KBA) label when the next factor is SSPR-Reset-Email, do i simply not add that policy either.
    Also i am noticing on the Netscaler VM itself it is registering “bind_vipconfig: got bind for SSPR-PWReset-LoginSchema” but didnt find it in the global list.

    appreciate you help with this George, thanks

    Reply

    • George Spiers

      June 21, 2019

      Hi – Add SSPR-Reset-KBA Policy Label but don’t select a Next Factor, just bind the “SSPR-Reset-AuthOff” policy to it.

      Reply

  • Duncan Brown

    June 24, 2019

    Hi George

    i tried that as well and it still does the same thing just goes straight through to inputting new password without answering questions from KBA. i did notice on Citrix Office information as below it says you must provide an Alternate email. does that mean you need to use the Alternate Email. have you ever set it up without the Alternate email ?

    thanks – Duncan

    New user self-registration. You can self-register as a new user.
    Configure knowledge-based questions. As an administrator, you can configure a set of questions for users.
    Alternate email ID registration. You must provide an alternate email ID while registration. The OTP is sent to the alternate email ID because the user has forgotten the primary email ID password.

    Reply

  • Duncan Brown

    June 24, 2019

    Hi George

    unfortunatley it still does the same thing go straight through to change password and it bypasses answering the Security Questions. Are you sure you can do it without alternative email as on Citrix Documentation is states :

    Alternate email ID registration. You must provide an alternate email ID while registration. The OTP is sent to the alternate email ID because the user has forgotten the primary email ID password.

    and

    The Citrix ADC knowledge-based question and answer, and email OTP uses AD attribute to store users data. You must configure an AD attribute to store the questions and answers along with the alternate email ID.

    thanks

    Duncan

    Reply

    • George Spiers

      June 25, 2019

      I’ve not set it up without email registration but it should work. I’ll try it and post the config.

      Reply

  • Anonymous

    June 26, 2019

    Hi George

    Did you have any luck?

    thanks

    Duncan

    Reply

    • George Spiers

      June 27, 2019

      Sorry have not had a chance yet – should get something to you by Monday.

      Reply

    • George Spiers

      June 30, 2019

      OK – so you need to:
      1. create a new “KBA Registration” Login Schema with “Regsiter Alternate Email” unchecked.
      2. edit the existing “SSPR-Registration-Schema” Login Schema Profile and choose the new Authentication Schema you just created.
      3. edit the “SSPR-Reset-KBA” Policy Label and unbind the existing from it.
      4. bind “SSPR-Reset-AuthOff” to the SSPR-Reset-KBA Policy Label. Set Next Factor to “SSPR-Reset-PWReset”.

      That is a confirmed working configuration. If it is still not working for you something in your configuration is incorrect and I suggest using a test VPX issuing all the CLI commands at the bottom of this article so that you have a working configuration, and then perfom the steps above.

      Reply

      • Duncan Brown

        July 2, 2019

        Hi George

        I am afraid to say it still doesnt work and i have followed your instructions to the T. would it be cheeky to ask you to create a CLI command list specifically for the No Email registration from your working config you have to see if we can replicate it that way,

        appreciate your assistance with this.

        thanks

        Duncan

        Reply

        • George Spiers

          July 3, 2019

          Yep – I’ll get the CLI config posted later today.

          Reply

    • Anthony

      December 14, 2020

      Hi George
      Im having issue on registering on KBA it saying cannot complete request do you have any input on this error?

      Reply

  • Moshe Ben Dahan

    June 30, 2019

    Hi George,
    First a great guide i’m really appreciating.
    The configured is only the KBA reset with no email.
    I’ve observed the following log:
    Null password check failed in ldap authentication: 1
    while clicking on the forget password and entering only the username and submit.
    Do i miss something ?

    Thanks
    Moshe

    Reply

    • George Spiers

      July 3, 2019

      Hello. When you enter the username and click submit, what error message do you get? You are not receiving the KBA questions?

      Reply

  • fawzy

    July 1, 2019

    Also with KBA reset and no email. I got this error after changing password “Password change failed. Make sure you supply correct existing password and try again.”

    Reply

    • George Spiers

      July 3, 2019

      I’ll get the CLI commands posted for config without email so you can replicate it in your lab.

      Reply

      • Duncan Brown

        July 14, 2019

        Hi George

        would just like to say thank you very much for your help on this. It is now working as expected. Much appreciated thanks

        Duncan

        Reply

        • George Spiers

          July 14, 2019

          Cool. Glad to hear it.

          Reply

  • Trevor

    July 12, 2019

    Thanks again for another great article. I have a opinion question. I just demo’d to a customer SSPR who has on the average 2400 password reset support calls so they liked what I presented. However, the security guy stated “no corporation out there puts a link on the external site to reset passwords”. Keep in mind they already use ADC with 2FA. It was an interesting comment, so I pose to you this question, “in your experience what companies have put this into play, large enterprise, small business, financial institutions?” Curious.

    Reply

    • George Spiers

      July 14, 2019

      Can’t comment on what companies have deployed this feature. However, I can reset my password from Azure AD and the Office 365 portal which is externally accessible. The ADC reset password portal can be easily protected by 2FA, and the security questions + email verification are additional factors.

      Reply

  • William

    July 24, 2019

    Is there no way you can get this to lock or limit the number of attempts at guessing the security questions?

    Implemented in this way with no incorrect usage limits, it is against OWASP guidelines (OTG-AUTHN-008) and cannot be implemented if it shares a DMZ with any PCI environment.

    This seems like a huge oversight on Citrix’s part.

    Reply

  • Sunny

    July 24, 2019

    FYI.
    ADC SSPR’s Alternate email option does not work with ADC 12.1 build 52.15 with Enterprise license. Platinum license is currently required. We ran into this problem in our test.

    Citrix Support/Product’s response is this should be corrected in ADC 12.1 build 52.16 in the future to work with Enterprise license. No ETA though.

    Reply

    • George Spiers

      July 26, 2019

      Thanks for the information.

      Reply

  • Philipp Zenz

    August 13, 2019

    Hi guys,

    is it possible to only use the alternate email without the questions?

    I could´t create an Login Schehma without questions.

    kind regards
    Philipp

    Reply

    • George Spiers

      August 19, 2019

      No not yet. Citrix are working on providing this capability.

      Reply

  • Lim

    August 20, 2019

    Hi George,

    Great Article. Really appreciate your guidance on configuring SSPR.
    Actually I am currently testing on configuring SSPR on a separate Auth vserver, means I have an IP that is going to a AAA vserver only for the purpose to do SSPR.
    I can see from your steps involves running the SSPR on the Citrix Gateway, however is it possible to enable SSPR on AAA vserver?

    Regards,
    Lim

    Reply

    • George Spiers

      August 26, 2019

      Yes AAA is the virtual server that handles SSPR, your LB virtual servers can use it, or Gateway.

      Reply

  • Pinkesh Patel

    November 1, 2019

    Hey George, This might resolve some authentication issues we are having. However, i want to present our scenario.

    – A user outside of the network needs to change their initial password because it is their very first time logging into the domain. This requires the user to change their temporary password. If this is the case, then what happens after they enter their initial temporary password? Will they be prompted to change their password first then go to the KBA registration? Or will they enter their temp password then directly go into KBA registration, then the screen to set their password?

    —-
    We have an issue where the user logs in with a temp password, they change the password on first login to the storefront, but then the DDC authenticates to a secondary domain controller that hasn’t seen the replication from the password change from the first domain controller. I was hoping the authentication from storefront then DDC would go to the same Domain controller but it seems like it’s just picking a random DC.

    Thanks!!

    Reply

    • George Spiers

      November 17, 2019

      I haven’t tested that scenario to be honest. It will either allow the user to change their password first, or else ask the user to register with SSPR first. Otherwise, you could disable SSPR registration enforcement.
      How have you configured Password Validation?

      Reply

      • Anonymous

        November 18, 2019

        I’ve been looking into the XML-based password vailidation but i can’t find out how the XML database populating with the usernames and passwords. It really depends on how often and quick AD replicates to the XML service. That’s if our AD replications to the XML service. If it’s instant then it might work for us.

        Reply

  • Pinkesh Patel

    November 1, 2019

    Hey George, This might resolve some authentication issues we are having. However, i want to present our scenario.

    – A user outside of the network needs to change their initial password because it is their very first time logging into the domain. This requires the user to change their temporary password. If this is the case, then what happens after they enter their initial temporary password? Will they be prompted to change their password first then go to the KBA registration? Or will they enter their temp password then directly go into KBA registration, then the screen to set their password?

    —-
    We have an issue where the user logs in with a temp password, they change the password on first login to the storefront, but then the DDC authenticates to a secondary domain controller that hasn’t seen the replication from the password change from the first domain controller. I was hoping the authentication from storefront then DDC would go to the same Domain controller but it seems like it’s just picking a random DC.

    Thanks!!

    -trying to post again cause i dont see my original post. sorry for duplicates.

    Reply

  • Leanid

    August 4, 2020

    George,
    As usual excellent write up. I used your multiple recipes to implement MFA and KBA. After few weeks I think I got where I want it.

    I think I also manage to implement KBA secure enough for external password Reset. I did couple of changes to your flow.
    My KBA implementation:

    KBA subscription (on different AAA site with Cancel button to redirect to main). If user registred for OTP it is protected by OTP as well.

    Password Reset:
    1) click “forgot Password”
    2) Ask user name and solve “Google Captcha” as per your article: https://jgspiers.com/citrix-adc-nfactor-authentication-google-recaptcha-first-ldap-second-factor/
    3) Ask Email OTP. I had to move it around, since Netscaler KBA is not limiting how many times you can try to answer KBA. I felt it is more secure to get email OTP before showing KBA factor
    4) Ask KBA
    5) Go to password Reset

    Also for OTP registration for main portal I have configured separate AAA and set it up for /manageotp cookie, with cancel button to go to main site. If user already enrolled in OTP it will ask OTP factor before going to /manageotp to add/remove devices.

    Had to do couple of changes here and there. For example with new Netscaler 13.X you don’t need anymore custom script for Google Captcha. It is already implemented and it takes secret from configuration settings.

    To add Cancel button I used custom function (works to go from secondary AAA site to main Gateway site or cancel OTP on main site as well, does not reset cookie):

    CTXS.ExtensionAPI.addCustomCredentialHandler({
    getCredentialTypeName: function () { return “nsg_cancel”; },
    getCredentialTypeMarkup: function (requirements) {
    var div = $(“”);

    $(document).on(‘ctxsformsauthenticationdisplayform’, function (e, data) {
    $(‘#nsg_cancel’).click(function() {
    CTXS.Events.publish(CTXS.Events.gateway.sessionTerminated);
    window.location.href = “https://mainportal.site.com/”; //change that
    })
    });
    return div;
    }
    });

    Reply

  • Pingback: Citrix Password Reset Portal - Find Official Portal

  • Muso

    June 7, 2021

    I want to reset my password. I am now blocke

    Reply

  • Sean

    August 4, 2021

    Hi George,
    I know this post is a couple of years old, but my company is just trying to implement SSPR, and the only thing I’m worry about is 2FA. Can SSPR be configured and still have 2FA active on the same gateway?
    Thank you,
    Seam

    Reply

  • Rafal

    September 6, 2021

    Hello,

    have You got this kind of error after entering answers for reset password? I am able successfully register KBA questions in AD, but looks like NS has some issues with reading them?

    “KBA Validation: State Context verification failed”

    Regards
    Rafal

    Reply

  • darrin

    July 26, 2022

    Morning all,
    is there a way to specify 3 questions/prompts ?
    We want to force SSPR to use 3 questions not just 2 to confirm user.

    Reply

  • franky

    December 5, 2022

    Hi there,
    I follow the step in here to create KBA registration, however, during submitting the answer for registering to userParameters (AD attribute),:
    1. it didnt register to the attribute.
    2. the KBA registration upon submit, provide an error “Cannot complete your request.” and looping back to the question again
    3. Google capture showing showing Http/1.1 Internal Server Error 43531 upon submitting

    Any got an idea ??

    Reply

  • sharif

    August 18, 2023

    Hi All,

    I have followed the article. Everything works fine except the user is able to reset the same password again. I have changed on the Active Directory ” Enforce password history” and ” Minimum password age ” but that did not solve the use.

    Anyone got an idea

    Reply

Leave a Reply