I really like the Native OTP feature introduce in version 12 since it allows you to enable two-factor authentication without using any third party product. If you need more information about how to configure it, you can check https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/. During a customer upgrade to the NS13.0 71.44.nc version, I started to see strange behavior on the /manageotp page. Indeed this page shouldn’t require a passcode as it’s the page (that you need to protect) used to enroll the devices.
The issue I had was exactly on the manageotp page. The users were asked to provide the passcode (second factor) to logon.
While debugging I found that the NSC_TASS cookie didn’t had the “correct” value:
As there are two places in the ADC configuration where the NDC_TASS cookie value is checked (in the authentication policy and in the authentication login schema policy), I changed the expression from HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) to HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“/manageotop”) and it worked like a charm!
I continued my functional testing and while I was wrapping it up, I’ve been called by the customer telling me that the manageotp was not working again…. I checked and the cookie value was back to manageotp… Quite annoying!
I decided to change again the expression on both policies to: HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).CONTAINS(“manageot”).
Fingers crossed, it’s now working for everyone!
1 thought on “Native OTP issues on Citrix ADC 13”