Before we begin let me first say…

“All NetScaler Gateway landing page customizations are unsupported. Changing the NetScaler Gateway landing page will cause you to have an unsupported environment. I do not condone malicious attempts to lockout user accounts. The purpose of this article is to highlight a current risk and mitigation steps.”

Now that that is out of the way, let’s start with the customizations 😉

  1. The current recommended configuration for two-factor authentication at NetScaler is available here. http://support.citrix.com/article/CTX12536
  2. With the configuration highlighted in the article above,  web based users that authenticate are hitting AD first.
  3. Ideally, we would want to follow the authentication workflow that is configured for the Native Receiver.
  4. The Native Receiver evaluates RADIUS first, and if this is successful, then the LDAP policy is invoked.

What is the Risk of Leaving the Configuration Exactly How The Article Has Outlined the Configuration?

If Bob, a malicious user, knows Alice’s username, then Bob could enter a bogus password 3 times and lock Alice’s account. Bob could do this as often as he liked until some measure went into place to stop Bob. If Bob knew a lot of usernames and had some knowledge of scripting tools such as JMeter, then he could lockout a large number of user accounts effectively acting as a DOS. This would be bad, and I again, I do not condone such an attack.

So What Can We Do to Mitigate This Risk?

The quick and easy way to do it is to reverse the web authentication policies so that they match up with the Native Receiver (RADIUS as primary, LDAP as secondary). However, this will force users to enter their RADIUS Passcode before entering their AD username. Most organizations want to have the dynamic pin as the 2nd password for users to enter.

So how can we mitigate the risk AND have the dynamic token as the second password users need to enter?

Similar to the quick and easy method, we would need to make the RADIUS authentication primary and the LDAP authentication secondary. Now we need to customize some JavaScript on the NetScaler. The file /vpn/login.js is what we need to customize. This file can be found under “/netscaler/ns_gui/vpn/login.js”. What we will do is change the ordering of the POST values.

The JavaScript Below Has the Original Values in Bold that We Will Change.
—————————————————————————————————————————————————————————————————————————————-

function ns_showpwd_default() { var pwc = ns_getcookie(“pwcount”); document.write(‘<TR><TD align=right style=”padding-right:10px;white-space:nowrap;”> <SPAN class=CTXMSAM_LogonFont>’ + _(“Password”)); if ( pwc == 2 ) { document.write(‘&nbsp;1′); } document.write(‘:</SPAN></TD>’); document.write(‘<TD colspan=2 style=”padding-right:8px;”> <input type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd” size=”30″ maxlength=”127″ style=”width:100%;”> </TD></TR>’); if ( pwc == 2 ) { document.write(‘<TR><TD align=right style=”padding-right:10px;white-space:nowrap;”> <SPAN>’ + _(“Password2″)  + ‘</SPAN></TD> <TD colspan=2 style=”padding-right:8px;”> <input type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd1” size=”30″ maxlength=”127″ style=”width:100%;”></TD></TR>’); } UnsetCookie(“pwcount”); }

—————————————————————————————————————————————————————————————————————————————-

The JavaScript below contains the revised fields so that when a user POSTs their credentials, NetScaler will can evaluate RADIUS before attempting to contact AD. The values passwd1 and passwd are swapped.

—————————————————————————————————————————————————————————————————————————————-

function ns_showpwd_default() { var pwc = ns_getcookie(“pwcount”); document.write(‘<TR><TD align=right style=”padding-right:10px;white-space:nowrap;”> <SPAN>’ + _(“Password”)); if ( pwc == 2 ) { document.write(‘&nbsp;1′); } document.write(‘:</SPAN></TD>’); document.write(‘<TD colspan=2 style=”padding-right:8px;”> <input type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd1” size=”30″ maxlength=”127″ style=”width:100%;”> </TD></TR>’); if ( pwc == 2 ) { document.write(‘<TR><TD align=right style=”padding-right:10px;white-space:nowrap;”> <SPAN class=CTXMSAM_LogonFont>’ + _(“Password2″)  + ‘</SPAN></TD> <TD colspan=2 style=”padding-right:8px;”> <input type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd” size=”30″ maxlength=”127″ style=”width:100%;”></TD></TR>’); } UnsetCookie(“pwcount”); }

—————————————————————————————————————————————————————————————————————————————-

With This Configuration …

We can remove an avenue for would-be attackers who intend to lockout users, while still having the token passcode as the second password field. Also, below are some relevant links for NetScaler Gateway customizations.
http://support.citrix.com/article/CTX125364
http://support.citrix.com/article/CTX126206
http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-connect-custom-theme-page-tsk.html

Have you ever worked at an organization that has come under attack from user lockouts? What was done to mitigate the threat?

Let us know in the comments below and feel free to ask questions!
Thanks for reading,