How to Enable the Change Password Option For NetScaler Gateway Users

Changing a NetScaler Gateway user’s password can be either forced or user initiated. To force a change, use the procedure for changing the password of an AAA-TM user, as described in the article at CTX201133 – How to Change Password for LDAP Authentication for NetScaler Gateway and AAA-TM Users.

If you enable user-initiated password change, the Change Password option appears in the top-right corner of the portal page after a user logs on.

Use case

NetScaler Gateway users would like to the option to change their own passwords, without any dependency on the admins.

Prerequisites

Before giving users the option to change their passwords, make sure that:

Before giving users the option to change their passwords, make sure that:

  • The basic Active Directory authentication is configured. See CTX108876 – How to Configure LDAP Authentication on a NetScaler Appliance.

    User-added image

  • Access to LDAP and Active Directory uses SSL (port 636).

    User-added image

  • A NetScaler Gateway virtual server is configured and bound to the LDAP policy.

    User-added image

     

  • You understand the Active Directory and LDAP protocols.

    User-added image


Instructions

NetScaler GUI

To enable the change password option for NetScaler Gateway users by using the NetScaler GUI:

  1. From NetScaler Configuration tab, navigate to NetScaler Gateway > Virtual Servers and select the VPN virtual server for which to set the Change Password option.

    User-added image

  2. In the Basic Authentication section, click LDAP Policy.

    User-added image

  3. Select the LDAP Policy that you want to edit, and from the Select Action list, select Edit Server.

    User-added image

  4. Scroll down to Other Settings and select the Allow Password Change check box.

    User-added image

  5. Log on to a NetScaler Gateway appliance managed by the virtual server that you’ve configured, and verify that the Change Password option appears at the top right of the screen.

    User-added image

NetScaler CLI

Enable the change password option for NetScaler Gateway users using the command line:

  1. Open a command line editor, and log on to the NetScaler appliance:
    ssh nsroot@<NetScaler IP>
  2. In the editor, enter the following command:
    set authentication ldapaction <LdapServerName> passwdChange ENABLED
    For more information on this command refer to Citrix Documentation.
  3. Enter show authentication ldapaction <LdapServerName> and verify the configuration.

Example

User-added image


Additional Resources

Troubleshooting

  1. When you try to log on with a user who has an expired password, NetScaler Gateway will present a prompt for changing the password. This will be part of the path https://FQDN/cgi/login.

    User-added image

  2. During aaad.debug you might notice a message logged in different formats but that will have a code 773 as part of it, this code is the way that LDAP mentions the password must be changed. The following are two examples on how these messages might appear:
Example 1: ns_show_ldap_err_string LDAP error string: <<80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v2580>>
Example 2: receive_ldap_user_search_event expired AD password detected delaying update until user bind sends dos code 0x773