Situation: We upgraded to 10.5 for our Citrix Netscalers and quickly realised that password changing was broken. Further to this, the end users were simply getting the ambigious ‘Incorrect user name or password’ during change (the password change screen would come up and allow them to enter their new password but then simply quit out, with incorrect username and password) The same message would appear when authenticating a user that was NOT a member of the allowed ‘Netscaler’ AD group.
Solution Password Change:
These vary from 10.1 to 10.5 but I have provided both screenshots just incase.
On 10.5 the ‘Allow password change’ option has seemingly ‘disappeared’
Yet in netscaler 10.1 world the option is ever present
The solution for 10.5 it turns out, is simply to enable SSL
Solution Password Feedback:
No only could we not change passwords (above) – when we attempted to change a password that didnt meet the complexity requirements or when a user attempted to access the Netscaler that wasnt a part of the AD authentication group – they simply got the ‘Incorrect user name or password’
The solution on 10.5 turns out that we simply need to globally enable the AAA parameter ‘enable enhanced authentication feedback’
This finally means that when we change our password via the Netscaler to a password that is not complex enough or if we log in but are not a member of the Authentication policy group we get the following correct responses from the Netscaler.
We wanted to set a simple timeout and max authentication attempts on the netscaler before an end user locked out their Active Directory account (given that LDAP auth was the Primary authentication method this also means that a brute force style password attempt would be stopped at the netscaler and never hit the inside LDAP servers)
Configure it like so on your Netscaler Gateway Virtual Server, obviously configure these settings to be less than the AD lockout settings
Failed Login Timeout (in mins)
Max Login Attempts
Error Message the End User will receive in their web browser after they reach the max login attempt limit