Those who know me know that I have a great interest in two-factor authentication. So, I was very interested when my colleague Chris Jeffrey, called attention to the fact that the two-factor not multiple NetScaler Gateway logon points works with the use of specific customized login pages .
Special custom login pages you can use for any NetScaler Gateway vServer another login page to display. This could be a real advantage in a cloud hosting environment where multiple customers on the same VPX connect and each logon point must clearly contain company branding elements.
But occurred a significant problem because the user does not see a second password prompt on any custom logon point on the first. The password prompt is used for PIN or token appears simply not been followed, despite CTX123736 perfectly well with the most minimal adjustments, and it is not clear why. I like to investigate a mystery and decided.
Read to learn on the cause and the solution.
First NetScaler Gateway vServer
Second NetScaler Gateway vServer adjusted according CTX123736
. Note:! the lack of PIN code prompt
[1945004[
for a brief look at the NetScaler Gateway files we find the second password prompt.
The invitation, which we have adapted to say "PIN code" and not as "Password 2", is not really static HTML. Instead, the call is added to the login page is dynamically a JavaScript file called "login.js" with , which contains some conditional statements.
function ns_showpwd ()
{
var = pwc ns_getcookie ( "pwcount");
document.write ( '
document.write ( '
if (pwc == 2) {
document.write ( '
} UnsetCookie ( "pwcount");
}
by examining the JavaScript , we see the display of the second password query is executed only when a cookie called "pwcount" exists , and if it has a value of 2 . Check. the vServer with Firebug we find the cookie on the first available is (what the prompt works and ads), but not the second
After a brief email exchange with engineering, the problem is later clarified: The pwcount cookie is set mainly when two specific filename retrieve index.html and tmindex.html - as our 2 nd vServer was adapted by CTX123736 following we retrieve index_modified.html
Take the conditional statements in a modified login.js file and thus hard-code the second password prompt is always displayed. It's a quick fix that solves the immediate problem. But JavaScript editing is not very dynamic. Now that we know the cause, it would not be nice to have a solution that can be activated and deactivated via the GUI?
"Ah-ha, maybe we could set the cookie a rewrite with a rule on the vServer NetScaler Gateway bound?"
- Add Rewrite action Add_pwcount_cookie insert_http_header Set-Cookie "" pwcount = 2 ""
Add Rewrite policy Enable_pwcount_cookie_policy "! HTTP.REQ.HEADER (" cookies "). CONTAINS (" pwcount ") && HTTP.REQ.URL.STARTSWITH (" / vpn / index_modified.html ")"
add_pwcount_cookiebind vpn vServer "test NSG" -policy Enable_pwcount_cookie_policy - priority 100 -gotoPriorityExpression END -type RESPONSE
At the beginning it was not. An integrated caching policy "_cacheVPNStaticObjects" is called by default and removes cookies configured before delivering the cached page. The solution was that the policy change does not apply our index_modified file.
- set cache policy _cacheVPNStaticObjects "HTTP.REQ.URL.PATH_AND_QUERY.STARTSWITH_ANY (" rule vpn_cache_dirs ") &&! HTTP.REQ. URL.PATH_AND_QUERY.STARTSWITH (" / VPNs / portal / ") &&! HTTP.REQ.URL.PATH_AND_QUERY.STARTSWITH (" / vpn / index_modified.html ")" action cache
This works and it is much more dynamic.
You can now activate / deactivate the second password prompt simply suggested by binding and a single rewrite policies of this VPS.
0 Komentar