NetScaler 10 – Implementing Password Changing At Any Time

NetScaler 10 – Implementing Password Changing At Any Time

Introduction

This article provides the steps to implement Password changing at any time functionality on a NetScaler 10 VPX with a Web Interface 5.4 Server running on Windows 2008 R2.

Overview

With the Access Gateway 5 going end of life soon, many people are upgrading to a NetScaler VPX solution to provide external access to their user base.  One of the biggest pieces of functionality which seems to be missing at this time is providing users the ability to change their passwords at any time.

The old method of performing this with the Access Gateway 5 no longer works with a NetScaler VPX and so Citrix have two Articles which provide the steps to perform in order to enable this functionality for a site but it does come with some disadvantages / considerations.

  • Administrators Cannot hide applications externally
  • Administrators Cannot disable or enable any Xenapp or XenDesktop policies based on user access from Access Gateway
  • Client Detection and download is no longer available

Initial Creation Of The XenApp Web Site

The first step is to create a new XenApp Web Site on the Web Interface Server.  To create a new XenApp Web Site on the Web Interface Server perform the following :-

  • Logon to the Web Interface Server as an administrative account
  • Open the Citrix Web Interface Web Management console
  • Right Click on XenApp Web Sites in the Left Hand pane and selectCreate Site
  • At the Specify IIS Location page change the Path to the Site name required

E.G. /Citrix/ChangePasswordSite/

  • The Name field with change automatically
  • Select Set as the default page for the IIS site if you wish it to be the default page and then click on Next to continue
  • At the Specify Point of Authentication page select At Web Interface and then click on Next to continue
  • At the Confirm Settings for New Site page check they are as you want them to be and then click on Next to continue

The new XenApp Web Site will now be created

  • Once created leave the option Configure this site now selected and then click on Next to continue
  • At the Specify Server Farm page change the Farm Name to the name of your XenApp Farm (This is for display purposes in the console only)
  • Click on the Add Button and when prompted enter the Server Name orIP Address of one of the XenApp Servers in the farm enabled for XML
  • Add in any additional XenApp Servers in the farm enabled for XML you require
  • If necessary change the XML Port to the Port being used on the Xenapp Servers
  • If necessary change the Transport Type to HTTPS or SSL Relay depending on if you have this configured on the Xenapp Servers
  • Click on Next to continue
  • At the Configure Authentication Methods page ensure only the Explicit option is ticked and then click on Next to continue
  • At the Domain Restriction page change it to Restrict domains to the following
  • Click on Add, Enter your Active Directory name, and then click on OK
  • Click on Next to continue
  • At the Specify Logon Appearance Screen page select whether you want Minimal or Full and then click on Next to continue
  • At the Select Published Resource Type page select whether you want OnlineOffline, or Dual Mode and then click on Next to continue
  • At the Confirm Settings page click on Finish to continue

Configuring Password Changing For The XenApp Web Site

The next step is to configure password changing for the new XenApp Web Site on the Web Interface Server.  To configure password changing for the new XenApp Web Site perform the following :-

  • Highlight the new XenApp Web Site in the Centre Pane
  • Click on Authentication Methods in the Right Hand pane
  • Click on Properties in the Configure Authentication Methods screen
  • Click on Password Settings in the list
  • Tick the Allow users to change password option and select At any time
  • Configure the Remind users before passwords expire section as required and then click on OK
  • Click on OK to close the Configure Authentication Methods screen

Configure Secure Access For The XenApp Web Site

The next step is to configure Secure Access for the new XenApp Web Site on the Web Interface Server.  To configure Secure Access for the new XenApp Web Site perform the following :-

  • Highlight the new XenApp Web Site in the Centre Pane
  • Click on Secure Access in the Right Hand pane
  • In the Specify Access Methods screen click on the Default in the centre pane
  • Click on Edit, change it to Gateway direct, and then click on OK
  • Click on Next in the Specify Access Methods screen
  • In the Specify Gateway Settings screen set the Address (FQDN) to the Fully Qualified Domain Name of your Access Gateway
  • Click on Next to continue
  • In the Specify Secure Ticket Authority Settings screen click on Add
  • Enter the address of your STA Server and then click on OK

N.B. The address must include the /scripts/ctxsta.dll on the end E.G. http://{Your XenApp Server Name}/scripts/ctxsta.dll

 

  • Enter the addresses of your other STA Servers and then click on OK

N.B. The STA’s you configure here MUST match those configure under the Access Gateway Virtual Server Published Applications section

  • Click on Finish to complete setting up Secure Access for the Site

Replace Login.java The XenApp Web Site

The next step is to replace the login.jar file for the new XenApp Web Site on the Web Interface Server.  To replace the login.jar file for the new XenApp Web Site perform the following :-

  • Download the AGWISSO.ZIP file from the link below

http://support.citrix.com/article/CTX106202

  • Unzip the file on the Web Interface Server
  • In Windows Explorer navigate to the folder below for your new XenApp Web Site

Inetput\wwwroot\Citrix\{Your new XenApp Web Site}\app_code\PagesJava\com\citrix\wi\pages\auth

E.G. C:\Inetput\wwwroot\Citrix\ChangePasswordSite\app_code\PagesJava\com\citrix\wi\pages\auth

  • Rename the file login.java to login.java.old
  • Copy the login.java file from the Web Interface 5.4 folder in the folder where you unzipped the AWISSO.ZIP on the Web Interface Server
  • Paste the login.java file in to the folder below for your new Xenapp Web Site

Inetput\wwwroot\Citrix\{Your new XenApp Web Site}\app_code\PagesJava\com\citrix\wi\pages\auth

E.G. C:\Inetput\wwwroot\Citrix\ChangePasswordSite\app_code\PagesJava\com\citrix\wi\pages\auth

Configure A New Session Policy On The Access Gateway

The next step is to configure a new Session Policy on the Access Gateway.  To configure a new Session Policy on the Access Gateway perform the following :-

  • Logon to the NetScaler Management IP Web Gui
  • Expand the Access Gateway branch in the Left Hand pane
  • Expand the Policies branch under the Access Gateway branch in theLeft Hand pane
  • Click on Session
  • Click on the Profiles Tab
  • Click on Add
  • When prompted enter a name for the new Session Policy
  • Click on the Client Experience Tab
  • Ensure that Clientless Access is Enabled and set to Off
  • Ensure that Single Sign-on to Web Applications is Enabled
  • Click on the Published Applications Tab
  • Ensure that ICA Proxy is Enabled and set to ON
  • Ensure that Web Interface Address is Enabled and set it to the URL of your new site

E.G. Http://{Your Server IP}/Citrix/ChangePasswordSite

  • Ensure that Single Sign-on Domain is Enabled and enter your Active Directory Name

N.B. Must be the same as was set for the Web Interface XenApp Web Site Domain Restriction

  • Configure any other settings you require like DNS etc and then click onOK

Bind The New Session Policy To A Session Profile On The Access Gateway

The next step is to bind the new Session Policy to a Session Profile on the Access Gateway.  To bind the new Session Policy to a Session Profile  perform the following :-

  • Click on the Profile Tab under the Session branch
  • Double Click the Session Profile you wish to bind it to and change theRequest Profile change it to the new Session Policy you created
  • Click on OK to apply the changes to you Session Policy

Providing the Session Policy you have modified is bound to the Access Gateway Virtual Server you should now be able to logon and be passed through to the new Web Interface XenApp Web Site.