Native OTP issues on Citrix ADC 13

I really like the Native OTP feature introduce in version 12 since it allows you to enable two-factor authentication without using any third party product. If you need more information about how to configure it, you can check https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/. During a customer upgrade to the NS13.0 71.44.nc version, I started to see strange behavior on the /manageotp page. Indeed this page shouldn’t require a passcode as it’s the page (that you need to protect) used to enroll the devices.

The issue I had was exactly on the manageotp page. The users were asked to provide the passcode (second factor) to logon.

While debugging I found that the NSC_TASS cookie didn’t had the “correct” value:

As there are two places in the ADC configuration where the NDC_TASS cookie value is checked (in the authentication policy and in the authentication login schema policy), I changed the expression from HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) to HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“/manageotop”) and it worked like a charm!

I continued my functional testing and while I was wrapping it up, I’ve been called by the customer telling me that the manageotp was not working again…. I checked and the cookie value was back to manageotp… Quite annoying!

I decided to change again the expression on both policies to: HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).CONTAINS(“manageot”).

Fingers crossed, it’s now working for everyone!

1 thought on “Native OTP issues on Citrix ADC 13

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.