Citrix Web Interface Netscaler Gateway Incorrect Credentials. Try Again

CTX221846

{{tooltipText}}

Change of Expired LDAP Password on NetScaler During Log On Fails Intermittently

Symptoms or Error

Changing the expired LDAP password at the fourth dimension of user login via NetScaler Gateway (due to password-expiry) may fail and demonstrate itself on the login folio as:
"Incorrect credentials. Endeavor over again."

User-added image

or "Cannot connect. Endeavor connecting once more." if Enhanced Authentication Feedback is enabled:

User-added image

At the fourth dimension of the issue, syslog data in /var/log/ns.log file contains like entries:

              .. Syslog 232 LOCAL0.ERR:  02/17/2017:14:46:33 GMT ns1 0-PPE-0 : default AAA Message 2266162 0 :  " In receive_ldap_user_bind_event: ldap_bind user failed for user user1" Syslog 234 LOCAL0.ERR:  02/17/2017:14:46:33 GMT ns1 0-PPE-0 : default AAA Message 2266163 0 :  "In receive_ldap_user_bind_event: user user1 password needs to exist changed" Syslog 231 LOCAL0.INFO:  02/17/2017:fourteen:46:xl GMT ns1 0-PPE-0 : default AAA Message 2266165 0 :  "In update_aaa_cntr: Failed policy for user user1 = contoso.com.DC-LDAP" Syslog 342 LOCAL0.WARNING:  02/17/2017:fourteen:46:xl GMT ns1 0-PPE-0 : default AAA LOGIN_FAILED 2266166 0 :  User user1 - Client_ip 10.10.33.thirty - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Syslog 207 LOCAL0.ERR:  02/17/2017:14:46:40 GMT ns1 0-PPE-0 : default AAA Message 2266167 0 :  "In unicode_ber: Invalid UTF-8 character input" Syslog 256 LOCAL0.ERR:  02/17/2017:14:46:twoscore GMT ns1 0-PPE-0 : default AAA Message 2266168 0 :  "While changing password (ns_ldap_change_password): mistake unicoding new password for user user1" ...            

The output of debug command: #cat /tmp/aaad.debug contains the following entry:

.....                              /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/ldap_drv.c[1633]: unicode_ber Invalid UTF-8 character input Fri Feb 17 14:46:40 2017  /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/ldap_common.c[1104]: ns_ldap_change_password error unicoding new password Fri February 17 14:46:40 2017  /usr/home/build/rs_110_69_6_RTM/usr.src/netscaler/aaad/naaad.c[2587]: send_reject_with_code Rejecting with mistake lawmaking 4004            

Solution

This is known event investigated and tracked as Issue ID#0672846.

There is no workaround on how to mitigate this. Cease user may need to choose another password.

Root crusade has been found and set is targeted for the following NetScaler releases:

  • eleven.1-55.x MR - Available on Citrix download page hither .

This article will be further updated with changes to to a higher place release dates if any.


Trouble Crusade

Effect was found in one of the functions used to store / duplicate countersign strings in a structure used by authentication module.
When using that part and later encrypting given countersign, the resultant encrypted cord sometimes independent a blueprint that caused some bytes of the password not copied, and resulted in incorrect string passed into internal ldap countersign alter role.


Additional Resources

This issue may occur:

  • after the reboot of the NetScaler appliance (reboot may not be applicable every bit a workaround),
  • regardless of whether the new password does comprise symbols/special characters or not.
  • regardless of Default or Custom UI Theme is being used

bentonhatook.blogspot.com

Source: https://support.citrix.com/article/CTX221846

0 Response to "Citrix Web Interface Netscaler Gateway Incorrect Credentials. Try Again"

Enregistrer un commentaire

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel