Table of Contents
Overview
Enabling the enhanced Authentication Feedback on NetScaler’s AAA gives Endusers a better understanding of WHAT is wrong with their credentials (Username, Password, OTP) but is also a lack of security, as potential password spraying attacks getting simple answers if the username exists, for example.
The goal here was to create a better understanding for users – without a big lack of security.
Also, enhanced authentication feedback is a AAA global setting, which isn’t great when using different NetScaler Gateway’s / AAA Portals for different customer needs.
Configuration
The following pre-configured java script files per language will modify just a few of the default auth-feedback messages. In my opinion a great mix of “The user has some more informations than default” and “It’s not that default easy regarding IT-Security to get more informations”:
| Function / Error Case: | Displayed message on NS-Portal to Enduser: |
| User not found | Incorrect user name or password |
| Password wrong | Incorrect user name or password |
| Password change does not comply with password policy | Could not update your password. The password must meet the length, complexity and history requirements of the domain. |
| OTP / MFA wrong | Possibly incorrect OTP |
| User is locked (by AAA) | You have exceeded the maximum login attempts, your account is now locked. Please wait 15 minutes for automatic unlock. |
| User is disabled | Incorrect user name or password |
| User wrong | Incorrect user name or password |
So basically the Endusers only getting an enhanced Feedback when MFA / OTP is wrong or when they have to change their password and it’s not matching with the password complexity. These two failure reasons causing many helpdesk-tickets, as the default “Try again after some time or contact your help desk” isn’t helping in any way. The same is for a locked user (depends on your max login attempts and failed login timeout settings on NetScaler) to show HOW long the auto-unlock takes.
You can change the behavior by Portal Theme – but my goal was to bring a new default which should work with every existing – and automatically with every future theme – all based on RfWebUI.
In the folder /var/netscaler/logon/LogonPoint/receiver/js/localization are the different language files located – depending on the language of the Endusers browser, which are used by all RfWebUI-based Portal Themes:
Here are the pre-defined files for download, just replace with yours and enable the Enhanced Auth-Feedback in AAA global settings. You can continue with customizing to your needs. My files are using english output for every browser-language (English, german, spanish, french and italian)
I have adjusted the following lines, which no longer comply with the standard from NetScaler:
- 351 – 367
- 430
- 439
Summary
I hope that Quickpost will give you a simple template to lower helpdesk-tickets from your Endusers.