Self-Service Password Reset (SSPR) – Citrix ADC

Last Modified: Dec 28, 2020 @ 5:49 am

Navigation

SSPR Flow

The SSPR feature in Citrix ADC is completely unrelated to the SSPR in Citrix StoreFront. They are separate registrations.

  • ADC SSPR registration is stored in an Active Directory user attribute.

SSPR is available in Citrix ADC 12.1 build 51.16 and higher.

SSPR requires nFactor, which is only available in Citrix ADC Advanced Edition and Premium Edition. You can use nFactor with Citrix Gateway.

The first factor is a Login Schema that has an optional Forgot Password link. The Login Schema file named SingleAuthPasswordResetRem.xml has this link. There are other built-in Login Schemas for Username Only and Dual Auth that also have the link.

If the user logs in normally, then ADC checks if the user has been enrolled in SSPR or not. If not enrolled, then the user is prompted to select questions and provide answers. This is a custom Login Schema that you can create from the ADC GUI as described later.

If the user clicks the Forgot Password link, then the user is prompted to answer two of the previously enrolled questions.

  • Optionally, the user might be prompted to retrieve a One-time password (OTP) sent to an Alternate Email address. The user might not have access to corporate email, so the OTP should be sent to the user’s personal email address. The user enters the alternate email address during SSPR registration.

  • Finally, the user is prompted to enter a new password.

Here’s what a sample SSPR nFactor configuration looks like:

# ** nFactor Visualizer 
# ** ------------------ 
# ** AAA vserver: AAA-SSPR
# **    Login Schema Policy = lschema_password_reset
# **       Priority = 20
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"
# **    Adv Authn Policy = LDAP_Password_Reset
# **       Priority = 10
# **       Rule = "aaa.LOGIN.VALUE(\"passwdreset\").EQ(\"1\")"
# **       Action = ldapAction named LDAP-Corp_NoAuth
# **       Goto if failed = NEXT
# **       Next Factor if Success = kba_validation
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = kba_validation
# **             Priority = 10
# **             Rule = true
# **             Action = ldapAction named LDAP-Corp_NoAuth
# **             Goto if failed = NEXT
# **             Next Factor if Success = email_validation
# **                Login Schema Profile = LSCHEMA_INT
# **                Adv Authn Policy = email_validation
# **                   Priority = 10
# **                   Rule = true
# **                   Action = emailAction named EmailOTP
# **                   Goto if failed = NEXT
# **                   Next Factor if Success = password_reset
# **                      Login Schema Profile = LSCHEMA_INT
# **                      Adv Authn Policy = LDAP-Corp-Adv_NoAuth
# **                         Priority = 100
# **                         Rule = true
# **                         Action = ldapAction named LDAP-Corp_NoAuth
# **                         Goto if failed = NEXT
# **    Adv Authn Policy = LDAP-Corp-Adv
# **       Priority = 20
# **       Rule = true
# **       Action = ldapAction named LDAP-Corp
# **       Goto if failed = NEXT
# **       Next Factor if Success = check_for_sspr_registration
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = switch_to_kba_register
# **             Priority = 1
# **             Rule = "AAA.USER.ATTRIBUTE(\"kba_registered\").EQ(\"0\")"
# **             Action = NO_AUTHN
# **             Goto if failed = NEXT
# **             Next Factor if Success = kba_registration
# **                Login Schema Profile = lschema_KBARegistration
# **                Adv Authn Policy = first_time_login_forced_kba_registration
# **                   Priority = 1
# **                   Rule = true
# **                   Action = ldapAction named LDAP-Corp
# **                   Goto if failed = NEXT
# **          Adv Authn Policy = NoAuth
# **             Priority = 100
# **             Rule = true
# **             Action = NO_AUTHN
# **             Goto if failed = END

Active Directory User Attribute

Citrix ADC SSPR stores its configuration in an Active Directory User attribute.

The attribute must be dedicated to SSPR. You can’t use the same attribute that you might already be using for Citrix ADC One-time passwords (OTP).

  • In Active Directory Users and Computers, enable Advanced Features mode (from the View menu), double-click a user, switch to the Attribute Editor tab, and find a String attribute that is not being used. When you double-click an attribute, look for String in the window title.
  • Open the Active Directory Schema console. Under Attributes, find your candidate attribute and double-click it. Make sure the Maximum length is high (e.g. 32767). The extensionAttributes default to 1024 or 2048, which is not long enough.
  • You might want to uncheck the bottom boxes (e.g. Attribute is copied when duplicating a user) since each user has their own SSPR configuration.
  • ADC needs permissions to set this Attribute and reset user passwords. You can use the Delegate Control wizard to grant these permissions.

    1. Consider creating a group for SSPR Admins and delegating permissions to that group. You can add your LDAP Bind Account and your Service Desk accounts to this group.
    2. In the Tasks to Delegate page, change it to Create a custom task to delegate and click Next.
    3. In the Active Directory Object Type page, change the selection to Only the following objects in this folder and select User objects. Click Next.
    4. In the Permissions page, on the top of the page, check the box for Property-specific.
    5. In the Permissions list, check the box next to Reset password. Scroll down.
    6. Find the attribute you are using for SSPR and check the Read and Write boxes. Click Next.

Help Desk will need to be trained to reset a user’s SSPR registration by double-clicking the attribute and clicking the Clear button. The next time the user logs in, the user will be prompted to enroll for SSPR again.

ADC uses a certificate to encrypt the contents of the Attribute. It currently is not possible to configure the certificate from the GUI, so you’ll need to SSH to the ADC and run the following command. The certificate should already be installed on the ADC.

bind vpn global -userDataEncryptionKey MyCertificate

The ADC SSPR configuration needs two LDAP Policy/Servers: one with authentication enabled, and one without authentication. In both LDAP Servers, in the Other Settings section, enter the Attribute name into the Alternate Email field and in the KB Attribute field. The same attribute can be used for both. However, you cannot use the same attribute for the OTP Secret field.

SSPR KBA Registration Login Schema

When creating the KBA Registration Login Schema you will be prompted to choose from a list of questions. This list is configured in the file KBQuestions.json located in /nsconfig/loginschema/LoginSchema.

  1. In ADC GUI, on the left, expand Security, expand AAA – Application Traffic, and click Login Schema.
  2. On the right, switch to the Profiles tab.
  3. On the right, click the button labelled Add KBA Registration Login Schema.
  4. Give the new Schema a name. ADC will create a file with the same name.
  5. Configure at least two questions. Move questions from the left to the right. Note: the XML file that it creates has size limits so don’t choose too many questions.
  6. On the right, you can optionally change the labels for Question Field and Answer Field. If you don’t enter anything, then the labels are Question, and Answer, as shown earlier in this article. Scroll down.
  7. Near the bottom are two More links you can click.
  8. The first More link lets you allow users to enter their own questions.
  9. The second More link lets you enable Register Alternate Email.
  10. Click Create when done.
  11. ADC creates a file in /nsconfig/loginschema/LoginSchema that matches the Schema name you entered earlier.
  12. ADC also adds a Login Schema Profile with the same name you entered earlier.

LDAP Servers

You’ll need two LDAP Servers: one with Authentication enabled, and the other with Authentication unchecked. Other than the Authentication checkbox, they are identical. Configure them like normal LDAP Servers.

The NoAuth server has Authentication unchecked.

Configure both LDAP Servers with the SSPR attribute as detailed earlier.

Email Action and Policy

You can optionally configure an Email action to send the user a OTP before allowing the password reset.

  1. In the ADC GUI, the easy way to find Email Actions is to enter “email” in the top left search box.
  2. On the right, click Add.
  3. Give the Email Action a name.
  4. In the Username box, enter the From email address. The emails will look like they come from this address.
  5. Enter the SMTP password for this From address.
  6. In the Server URL box, enter a smtps URL with port number similar to smtps://mail01.corp.com:587. Gmail’s URL smtps://smtp-relay.gmail.com:587 also works.
  7. In the Content box, enter a string containing $code. ADC replaces $code with the OTP.
  8. In the Type box, enter SMTP.
  9. In the Email Address box, enter aaa.user.attribute("alternate_mail"). This expression pulls the destination email address from Alternate Email attribute you defined in your LDAP Server.
  10. Click Create.
  11. It does not appear to be possible to use the ADC GUI to create an Email Authentication Policy. SSH to your ADC and run something similar to the following command:
    add authentication Policy email_validation -rule true -action EmailOTP

SSPR nFactor Configuration

AAA vServer and Login Schema

The first factor will be a Login Schema that has the Reset Password link. This section creates the following portion of the nFactor configuration:

# ** AAA vserver: AAA-SSPR
# **    Login Schema Policy = lschema_password_reset
# **       Priority = 20
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"

Do the following:

  1. Create a AAA vServer.
  2. It can be Non Addressable.
  3. Optionally bind a certificate to the AAA vServer so its status will be Green instead of Red.
  4. On the right, in the Advanced Settings column, click Login Schemas to move it to the left.
  5. On the left, in the Login Schemas section, click where it says No Login Schema.
  6. Next to the Select Policy field, click Add to create a new Login Schema Policy.
  7. Give the Login Schema Policy a name to indicate that this Login Schema includes a link for Self-Service Password Reset.
  8. Next to Profile, click Add to create a new Login Schema Profile.
  9. Give the Login Schema Profile a name.
  10. In the Authentication Schema field, click the edit icon.
  11. In the Login Schema Files section, click the LoginSchema folder.
  12. Highlight one of the PasswordReset files (e.g. SingleAuthPasswordResetRem.xml) and then click the blue Select button on the top right. You can also optionally modify the built-in files.
  13. The Create Authentication Login Schema window collapses and the Authentication Schema field shows the selected file. Click Create when done.
  14. Click Create to finish creating the Authentication Login Schema Policy.
  15. Click Bind to bind the Login Schema Policy to the AAA vServer.

SSPR Registration

Let’s start with the SSPR Registration flow. This section creates the following snippet of the full nFactor configuration:

# ** AAA vserver: AAA-SSPR
# **    Login Schema Policy = lschema_password_reset
# **       Priority = 20
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"
# **    Adv Authn Policy = LDAP-Corp-Adv
# **       Priority = 20
# **       Rule = true
# **       Action = ldapAction named LDAP-Corp
# **       Goto if failed = NEXT
# **       Next Factor if Success = check_for_sspr_registration
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = switch_to_kba_register
# **             Priority = 1
# **             Rule = "AAA.USER.ATTRIBUTE(\"kba_registered\").EQ(\"0\")"
# **             Action = NO_AUTHN
# **             Goto if failed = NEXT
# **             Next Factor if Success = kba_registration
# **                Login Schema Profile = lschema_KBARegistration
# **                Adv Authn Policy = first_time_login_forced_kba_registration
# **                   Priority = 1
# **                   Rule = true
# **                   Action = ldapAction named LDAP-Corp
# **                   Goto if failed = NEXT
# **          Adv Authn Policy = NoAuth
# **             Priority = 100
# **             Rule = true
# **             Action = NO_AUTHN
# **             Goto if failed = END

Do the following:

  1. In the AAA vServer, scroll down to the Advanced Authentication Policies section and click where it says No Authentication Policy.
  2. In the Select Policy field, select your normal LDAP policy. The Login Schema collects username and password and verifies it with the LDAP Policy that you select here.
  3. Change the Priority to 20 or similar. This binding must be a higher number than the Password Reset flow that we configure later.
  4. Next to the Select Next Factor field, click Add to create a Policy Label which will check if the user is registered or not.
  5. Name the Policy Label to indicate that this Policy Label checks if the user is registered or not.
  6. Leave the Login Schema set to LSCHEMA_INT (i.e. no schema), and click Continue.
  7. Next to the Select Policy field, click Add to create an Authentication Policy.
  8. Name this Authentication Policy to indicate that it does nothing more than check if the user is registered or not.
  9. In the Expression field, enter the following expression:
    AAA.USER.ATTRIBUTE("kba_registered").EQ("0")
  10. Click Create.
  11. Back in the Policy Label Policy Binding window, next to the Select Next Factor field, click Add to create another Policy Label.
  12. Name the Policy Label to indicate that this factor performs the SSPR Registration (i.e. Knowledge-Based Authentication registration).
  13. In the Login Schema field, select the KBA Registration Login Schema that you created earlier.
  14. Click Continue.
  15. Next to the Select Policy field, click Add to create an Authentication Policy.
  16. Name the Authentication Policy to indicate that ADC uses this LDAP Server to store the KBA registration information in the Active Directory User attribute.
  17. Change Action Type to LDAP.
  18. Change Action to your normal authenticating LDAP Server that has the KB Attribute defined.
  19. For Expression, enter true.
  20. Click Create.
  21. Back in the Policy Label Policy Binding page, click Bind.
  22. Click Done to finish creating the Policy Label for KBA Registration.
  23. Back in the “Check for SSPR Registration” Policy Label Policy Binding page, click Bind.
  24. To handle users that are already registered, click Add Binding.
  25. Next to the Select Policy field, click Add to create an Authentication Policy.
  26. Name the Policy to indicate that no authentication is occurring. This policy always returns true and is necessary to avoid errors for users that are already registered.
  27. Change Action Type to NO_AUTHN.
  28. In the Expression box, enter true.
  29. Click Create.
  30. Back in the Policy Label Policy Binding screen, click Bind.
  31. Click Done to close the “Check for SSPR Registration” Policy Label.
  32. Click Bind to bind the LDAP Policy and “Check for SSPR Registration” factor to the AAA vServer.

Password Reset

This section creates the following snippet of the full nFactor configuration:

# ** AAA vserver: AAA-SSPR
# **    Login Schema Policy = lschema_password_reset
# **       Priority = 20
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"
# **    Adv Authn Policy = LDAP_Password_Reset
# **       Priority = 10
# **       Rule = "aaa.LOGIN.VALUE(\"passwdreset\").EQ(\"1\")"
# **       Action = ldapAction named LDAP-Corp_NoAuth
# **       Goto if failed = NEXT
# **       Next Factor if Success = kba_validation
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = kba_validation
# **             Priority = 10
# **             Rule = true
# **             Action = ldapAction named LDAP-Corp_NoAuth
# **             Goto if failed = NEXT
# **             Next Factor if Success = email_validation
# **                Login Schema Profile = LSCHEMA_INT
# **                Adv Authn Policy = email_validation
# **                   Priority = 10
# **                   Rule = true
# **                   Action = emailAction named EmailOTP
# **                   Goto if failed = NEXT
# **                   Next Factor if Success = password_reset
# **                      Login Schema Profile = LSCHEMA_INT
# **                      Adv Authn Policy = LDAP-Corp-Adv_NoAuth
# **                         Priority = 100
# **                         Rule = true
# **                         Action = ldapAction named LDAP-Corp_NoAuth
# **                         Goto if failed = NEXT

Do the following to create the Password Reset flow:

  1. In the AAA vServer, in the Advanced Authentication Policies section, click where it says 1 Authentication Policy
  2. Note the Priority number of the existing binding. Our new binding will need a lower priority number so it is evaluated first. Click Add Binding.
  3. Next to the Select Policy field, click Add to create an Authentication Policy.
  4. Name the Authentication Policy to indicate that this policy only applies if the user clicked the Forgot Password link in the Login Schema.
  5. Change Action Type to LDAP.
  6. Change Action to the your LDAP Server that has Authentication unchecked (i.e. not enabled).
  7. In the Expression box, enter the following expression that returns true if the user clicked the link:
    aaa.LOGIN.VALUE("passwdreset").EQ("1")
  8. Click Create.
  9. Back in the Policy Binding page, change the Priority to a number that is lower than the existing Policy Binding.
  10. Next to the Select Next Factor field, click Add to create a Policy Label (i.e. factor)
  11. Name the Policy Label to indicate that this factor will verify the user’s questions and answers.
  12. Leave the Login Schema set to the default LSCHEMA_INT (i.e. no schema) and click Continue.
  13. Next to the Select Policy field, click Add to create an Authentication Policy.
  14. Name the Authentication Policy to indicate that this policy verifies the user’s KBA questions and answers.
  15. Change Action Type to LDAP.
  16. Change Action to your LDAP Server that does not require authentication.
  17. In the Expression box, enter true.
  18. Click Create.
  19. Back in the Policy Label Policy Binding page, if you wish to add email validation, then next to Select Next Factor, click Add to create another Policy Label (factor).
  20. Name the Policy Label to indicate that this factor will perform Email OTP verification.
  21. Leave the Login Schema set to the default LSCHEMA_INT (i.e. no schema) and click Add.
  22. In the Policy Label Policy Binding section, click where it says Click to select.
  23. Click the small circle next to the email policy that you created earlier from the ADC’s command line. It’s not possible to use the GUI to create the email policy.
  24. At the top of the screen, click the blue Select button.
  25. Back in the Policy Label Policy Binding screen, next to the Select Next Factor field, click Add to create another Policy Label (i.e. factor).
  26. Name this Policy Label to indicate that this factor performs the password reset.
  27. Leave the Login Schema set to the default LSCHEMA_INT (i.e. no schema) and click Continue.
  28. In the Policy Label Policy Binding section, next to the Select Policy field, click Add to create an Authentication Policy.
  29. Name the Authentication Policy to indicate that this is your LDAP Policy that has Authentication unchecked (not enabled).
  30. Change Action Type to LDAP.
  31. Change Action to your LDAP Server that has Authentication unchecked.
  32. In the Expression field, enter true.
  33. Click Create.
  34. That’s it for the AAA configuration. Now click Bind and Done several times to return to the AAA vServer.






  35. Click Close to finish the AAA vServer’s Authentication Policy bindings.

Bind to Citrix Gateway

If you are using nFactor configuration with Citrix Gateway, then configure the Authentication Profile like normal.

  1. Go to Citrix Gateway > Virtual Servers and edit a Gateway.
  2. On the right, in the Advanced Settings column, click Authentication Profile to move it to the left.
  3. On the left, in the Authentication Profile section, click Add.
  4. Name the Authentication Profile to indicate that this nFactor Flow does Self-Service Password Reset.
  5. In the Authentication Virtual Server field, click where it says Click to select.
  6. Click the small circle next to the AAA vServer that is configured with your SSPR flow.
  7. At the top of the page, click the blue Select button.
  8. Click Create.
  9. Click OK to select the Authentication Profile.

CLI Commands

Here’s a full sample ADC CLI configuration:

# Certs
# -----
add ssl certKey WildcardCorpCom.cer_CERT_KE_ic1 -cert WildcardCorpCom.cer_ic1 -passcrypt b217e266 -encrypted -encryptmethod ENCMTHD_3

add ssl certKey WildcardCorpCom.cer_CERT_KEY -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt 52e54af -encrypted -encryptmethod ENCMTHD_3 -expiryMonitor DISABLED

add ssl certKey CorpIntermediate -cert CorpIntermediate.cer -inform DER -passcrypt cc9675 -encrypted -encryptmethod ENCMTHD_3 -expiryMonitor DISABLED

# Cert Links
# ----------
link ssl certKey WildcardCorpCom.cer_CERT_KEY CorpIntermediate

link ssl certKey CorpIntermediate WildcardCorpCom.cer_CERT_KE_ic1


# AAA Global Settings
# -------------------
enable ns feature AAA


# LDAP Actions
# ------------
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword 868d22c -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -KBAttribute extensionAttribute1 -alternateEmailAttr extensionAttribute1

add authentication ldapAction LDAP-Corp_NoAuth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword a4ffb4 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -KBAttribute extensionAttribute1 -alternateEmailAttr extensionAttribute1


# Email (SSPR) Actions
# --------------------
add authentication emailAction EmailOTP -userName admin@corp.local -password 7868e -encrypted -encryptmethod ENCMTHD_3 -serverURL "smtps://mail01.corp.local:587" -content "Your OTP is $code" -emailAddress "aaa.user.attribute(\"alternate_mail\")"


# Advanced Authentication Policies
# --------------------------------
add authentication Policy LDAP-Corp-Adv -rule true -action LDAP-Corp

add authentication Policy kba_validation -rule true -action LDAP-Corp_NoAuth

add authentication Policy LDAP_Password_Reset -rule "aaa.LOGIN.VALUE(\"passwdreset\").EQ(\"1\")" -action LDAP-Corp_NoAuth

add authentication Policy NoAuth -rule true -action NO_AUTHN

add authentication Policy switch_to_kba_register -rule "AAA.USER.ATTRIBUTE(\"kba_registered\").EQ(\"0\")" -action NO_AUTHN

add authentication Policy email_validation -rule true -action EmailOTP

add authentication Policy first_time_login_forced_kba_registration -rule true -action LDAP-Corp

add authentication Policy EmailOTP -rule true -action EmailOTP

add authentication Policy LDAP-Corp-Adv_NoAuth -rule true -action LDAP-Corp_NoAuth


# Login Schemas
# -------------
add authentication loginSchema lschema_KBARegistration -authenticationSchema "/nsconfig/loginschema/LoginSchema/lschema_KBARegistration.xml"

add authentication loginSchema lschema_password_reset -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthPasswordResetRem.xml"


# Login Schema Policies
# ---------------------
add authentication loginSchemaPolicy lschema_password_reset -rule true -action lschema_password_reset


# Authentication Policy Labels
# ----------------------------
add authentication policylabel kba_registration -loginSchema lschema_KBARegistration

bind authentication policylabel kba_registration -policyName first_time_login_forced_kba_registration -priority 1 -gotoPriorityExpression NEXT

add authentication policylabel check_for_sspr_registration -loginSchema LSCHEMA_INT

bind authentication policylabel check_for_sspr_registration -policyName switch_to_kba_register -priority 1 -gotoPriorityExpression NEXT -nextFactor kba_registration

bind authentication policylabel check_for_sspr_registration -policyName NoAuth -priority 100 -gotoPriorityExpression END

add authentication policylabel password_reset -loginSchema lschema_noschema

bind authentication policylabel password_reset -policyName LDAP-Corp-Adv_NoAuth -priority 100 -gotoPriorityExpression NEXT

add authentication policylabel email_validation -loginSchema lschema_noschema

bind authentication policylabel email_validation -policyName email_validation -priority 10 -gotoPriorityExpression NEXT -nextFactor password_reset

add authentication policylabel kba_validation -loginSchema lschema_noschema

bind authentication policylabel kba_validation -policyName kba_validation -priority 10 -gotoPriorityExpression NEXT -nextFactor email_validation


# Authentication Virtual Servers
# ------------------------------
add authentication vserver AAA-SSPR SSL 0.0.0.0

bind authentication vserver AAA-SSPR -portaltheme RfWebUI

bind authentication vserver AAA-SSPR -policy lschema_password_reset -priority 20 -gotoPriorityExpression END

bind authentication vserver AAA-SSPR -policy LDAP_Password_Reset -priority 10 -nextFactor kba_validation -gotoPriorityExpression NEXT

bind authentication vserver AAA-SSPR -policy LDAP-Corp-Adv -priority 20 -nextFactor check_for_sspr_registration -gotoPriorityExpression NEXT


# Authentication Profiles
# -----------------------
add authentication authnProfile SSPR -authnVsName AAA-SSPR


# NetScaler Gateway Global Bindings
# ---------------------------------
bind vpn global -userDataEncryptionKey WildcardCorpCom.cer_CERT_KEY


# NetScaler Gateway Virtual Servers
# ---------------------------------
add vpn vserver gateway2 SSL 10.2.4.220 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -httpProfileName http2 -deploymentType ICA_STOREFRONT -authnProfile SSPR -vserverFqdn gateway3.corp.com

bind vpn vserver gateway2 -portaltheme RfWebUI

bind vpn vserver gateway2 -policy PL_OS_10.2.4.120 -priority 100

bind vpn vserver gateway2 -policy PL_WB_10.2.4.120 -priority 100


# SSL Virtual Servers
# -------------------
bind ssl vserver gateway2 -certkeyName WildcardCorpCom.cer_CERT_KEY

bind ssl vserver AAA-SSPR -certkeyName WildcardCorpCom.cer_CERT_KEY

33 thoughts on “Self-Service Password Reset (SSPR) – Citrix ADC”

  1. Dear Carl,

    I implemented the above SSPR. KBA Registration working fine, user is able to register with the questions.

    When user clicks for forgot password, it prompts for questions and answer, after answering it giving cannot complete your request.

    on debug logs.

    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1057]: is_invalid_aaad_req 0-29: Found valid AAA_REST_AUTHENTICATE/AAA_AUTHENTICATE/AAA_AUTHENTICATE_NEGOTIATE request
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1386]: process_kernel_socket 0-29: Received encrypted password from PPE
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[7091]: ns_aaad_decrypt_auth_passwd 0-29: ns_aaad_decrypt_auth_passwd performed : status 0
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1452]: process_kernel_socket 0-29: call to authenticate
    user :test5, vsid :11939, userlen 5
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[1516]: process_kernel_socket 0-29: call to authenticate
    user :test5, vsid :11939, req_flags 400802
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5928]: start_cascade_auth 0-29: starting cascade authentication
    Thu Oct 5 14:02:29 2023
    /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[6135]: cascade_auth 0-29: Delegating email auth to kernel for : test5
    Thu Oct 5 14:02:32 2023

  2. We are seeing that enforce password history is not getting followed in SSPR password reset & user can use same password multiple times.
    This is security issue with lot of clients & Citrix don’t have any solution to it.
    If anyone has any workaround to fix this please let us know.

  3. Hello Carl,
    As always thanks for your work.

    https://discussions.citrix.com/topic/410711-forceexpired-password-change-users-gets-cannot-complete-request/#comment-2071537

    I have a working configuration, where we reset passwords via NetScaler SSPR and this seems to work fine. However on completion we are not directed to the login page and instead get the “Cannot Complete Request” . If we close the browser and launch a new one or incognito page we are presented with login and the new password works.
    On the Delivery Controller there is an Application Event IDs 2100, from Citrix Broker Service. “The Citrix Broker Service failed to validate a user’s credentials on an XML Service. Verify the trust relationships between your domains.”
    (Note: TrustRequestsSentToTheXmlServicePort is set to True)
    I have MFA implemented with Imprivata
    Q1. Where can I check for forcing clearing cookies on the browser in this flow?
    Q2. I see on the link above :
    We found ADC fails to provide passwd=”” value in POST /Citrix/StoreWeb/GatewayAuth/Login request . response with WWW-Authenticate: CitrixAGBasic password_required=”yes”;logout_url=”AGBasic/Logout” header, and therefore we are seeing “Cannot complete your request”
    How would I quickly confirm this or find this logged?

  4. Hello Carl,

    Is that possible to add line break to email action content so that email message would conatin multiple rows?

    Regards,
    Imre

  5. Hi Carl

    Thank you for this guide. It’s amazing. Thanks to this, I could setup a password reset function secured with duo security (instead of sspr) first. After that, users can now change the password. And everything with the standard license.
    AMAZING!

    1. Hey Daniel,
      I have tried doing integrating this procedure to work with Duo, but have not been successful. If you are able to get yours working, would you mind sharing the details on how you made it work.
      Thanks,
      Sean J.

  6. Hi Carl,

    Yo have mentioned that:

    “ADC uses a certificate to encrypt the contents of the Attribute. It currently is not possible to configure the certificate from the GUI, so you’ll need to SSH to the ADC and run the following command. The certificate should already be installed on the ADC.

    bind vpn global -userDataEncryptionKey MyCertificate”

    what will happen when the certificate expires? Should that certificate be replaced when it expires or it can be still being used even if it is expired?

    1. Basically, when that certificate expires, you will continue to authentication, however, the encryption won’t work, therefore, security is affected. However, if you decide to update this cert, please remember to use the same private key. Otherwise, you will have to reenroll every device to the AD again.

  7. Hi Carl, Trying to login and keep getting a “Try again after sometime or contact your help desk” message. Any clues as to what can be causing this?
    Thank you,
    Sean

  8. Hi Carl

    Thank you for all your documentation, you keep the Citrix environment alive.

    I need help around setting up Login Schema DualAuthPasswordResetRem (Native OTP and Self Service password reset)

    I cannot get the the Authentication Policy correct, I have got the working individually just not merged.

    I have contracted Citrix and they keep sending me back to the same two article.
    https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/native-otp-authentication.html
    https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/sspr-support.html

    Thank you

    Ibrahim

  9. Hello Carl:
    First of all thank you very much, for the effort you put creating this amazing site. You are indeed a big help to the entire citrix community.
    i have a question about the cli commands for the Netscaler Gateway Virtual Servers
    I believe there is typo in the PL_OS_10.2.4.120 and PL_WB_10.2.4.120 i think the string should be PL_OS10.2.4.220
    Also if you can explain these two policies PL_OS and PL_WB not sure why they are needed

    # NetScaler Gateway Virtual Servers
    # ———————————
    Add vpn vserver gateway2 SSL 10.2.4.220 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -httpProfileName http2 -deploymentType ICA_STOREFRONT -authnProfile SSPR -vserverFqdn gateway3.corp.com

    bind vpn vserver gateway2 -portaltheme RfWebUI
    bind vpn vserver gateway2 -policy PL_OS_10.2.4.120 -priority 100

    bind vpn vserver gateway2 -policy PL_WB_10.2.4.120 -priority 100

      1. Thank You Carl:
        Do you have the CLI for the two standard Sessions Policies that enable ICA Proxy and StoreFront reverse proxy

        Thanks

  10. Hi Carl,

    I’m trying to find some info on using SSPR with LDAP + RADIUS and haven’t really come across anything concrete. We are trying to implement SSPR and currently authenticate using LDAP as the primary factor and RADIUS as second factor auth. From a configuration standpoint, there is no reason it shouldn’t work but we’ve hit a few snags where SSPR is behaving erratically. Sometimes it funnels all users to the Registration flow and other times it funnels users to the Password Reset Flow, and in some rare case it seems to work just fine. We’ve spoken to Citrix support and have received very disappointing treatment with the case. After a few weeks they just pointed us to the SSPR requirement of LDAP authentication and sent us on our way. Do you have any experience getting SSPR working with LDAP + RADIUS? I’m asking as a sanity check to make sure we’re not wasting our time or if we should take the word of uninterested Citrix support reps and abandon this as a solution.

    Thanks,

  11. Hi Carl,

    Thanks for all your execellent write ups!

    Any idea how I properly integrate SSPR with Native OTP Push Auth? I noticed the citrix web page https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/sspr-support.html and in particular the nFactor Visualizer. Do I just combine these in one flow chart? The problem here is that if OTP is required, which login schema do I use for SSPR 1st time register and so on? Can you maybe shine some lights here? Or do you plan an article on this?

    Best regards,
    Ronald

  12. Good morning Carl

    First and foremost I must say that your website does supply me with a wealth of knowledge and support.

    Out of interest have you ever configured SSPR without the KBA questions?

    Ideally I would like to have users register an email address or we pre-populate the email field in the active directory account details and when the user forgets their password they just enter their username -> OTP gets email to user -> password reset.

    Although I can see the benefit of the questions and answers, I would also like the possibility to do the above.

    Thank you very much in advance.

  13. Hi Carl,

    I have an issue with the sspr portail.
    I configured my LDAP server (auth and no auth) with a simple domain user. the KB attribute and AlternatedEmail that I choosen is “userParameters”.
    In the first time, I delegated to my user some rights to OU users (Read lockoutTime , Write lockoutTime, Reset Password, Change Password, Read userAccountControl, Write userAccountControl, Read pwdLastSet, and Write pwdLastSet, read UserParameters, write UserParameters) ==> the process doesn’t work, when I want to validate my secret answer and my e-mail address I encounter an error 50 : insuffisant rights when I check with the command cat aaad.debug
    So, I delegated to my user full control to my OU > the result is same.

    It works fine with an admin account.

    Do you have any idea ?

    Regards,

  14. Hi Carl.

    I made some tests with OTP via mail as a standard second authentication factor and it seems to work.

    I simply created an AAA VS with a SingleAuth login schema and an LDAP policy (with authentication enabled) as the first factor. In “nextFactor” field, I configured an auth policy label with no schema and the email policy as the authentication policy. I configured the “Email Adress” field of the email action with AAA.USER.ATTRIBUTE(“email”) to use the main email address of the user.

    When the user lands to the login page, he firstly provides his domain credentials (username and password) and then arrives to a second login form with the username field greyed out and the “Enter OTP from Email” field. Meanwhile, he receives the OTP code via email and he can use it to access to his resources (i tried it on a standard Citrix Gateway VS).

    Users don’t need to perform any registration process to be enabled to use this kind of OTP.

    Test done on Citrix ADC 13.0 47.24

    FG

      1. I just tried it right after your question and yes, I’m also able to protect the manageotp website with email OTP.

        I have an old native otp configuration, but referring to your latest guide (https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13), it’s like I put the email action between the AuthenticateToManageDevices__OTPManageOrAuthenticate and the OTPDeviceRegistration__OTPManageOrAuthenticate policy labels.

  15. Hello Carl

    Thank you so much for the guide and your previous guide on native OTP configurations.

    I am trying to configure this functionality in two scenarios (and I am running into difficulty in each case):

    1. Single Factor (pretty much as described in this guide):
    The netscaler is unable to send the email with the code and hangs while attempting this action, in the console I see the following error:
    NetScaler [1279]: (0-0) void ThreadWorker_SendMailJob(SMTPJob*): [JobID: 1] SMTP TYPE:2, TimeoutException
    I am using smtps://smtp-relay.gmail.com:587 as the mail server with a set of gmail credentials.
    a) Have you seen this error?
    b) Is it possible to configure and internal exchange server to send this email?

    2. Dual Factor (integrates with the Google Native OTP configuration):
    I am using the DualAuthPasswordResetRem.xml login schema, after clicking the ‘Forgot Password’ link I am presented with another page asking for the username AND the passcode (I assume the Google OTP code is what it’s asking for) … no matter what I enter on this page I am returned to the initial dual factor logon page …

    Any help/advice on either of these issues would be very much appreciated.

    Thanks

    Andrew

  16. Hi Carl,

    Thanks for yet another great write-up, especially on this new ADC/NetScaler feature.

    A couple of items I discovered while setting this up include:
    1) It works best if the gateway/aaa theme is X1 , as the text for the various prompts is easier to read
    2) If the Netscaler has trouble communicating with the SMTP server to send the OTP, then the process seems to fail without any informative feedback to the user. Troubleshooting information is recorded in aaa.debug however.
    3) If using Exchange for SMTP/S, additional permissions may be required on the receive connector https://somoit.net/exchange/exchange-smtp-error-550-5-7-1-client-not-permissions-send-sender , otherwise NetScaler aaa.debug log may record ‘Client does not have permissions to send as this sender’
    4) When the user is prompted to enter their new password, their is no enforcement of AD based password history / reuse policies

    Joe

    1. I’m not certain. The SingleAuthPasswordResetRem.xml file has a single hidden field called passwdreset which handles both the KBA verification and the Email OTP. I don’t see any place to change the Email OTP to something else. It would be nice if Email OTP had its own Login Schema so I can use Email OTP for non-SSPR flows and replace it for SSPR flows.

    2. Yes, it is. If you already configured TOTP, you only have to implement a verifyOTP-Policylabel as next factor in your PW-Reset-flow instead of email OTP.

Leave a Reply

Your email address will not be published. Required fields are marked *