On a Citrix NetScaler, when you enable Two Factor Authentcation (2FA) for a VPN/CAG vServer, two password boxes are presented to the user with the somewhat meaningless names of “Password 1” and “Password 2”. This configuration is defined in a JavaScript file called “login.js” which defines some of the JavaScript functions for the logon page and process.
Some sources advocate manually amending login.js on the NetScaler to rename them, but there are several issues with this approach:
Instead, I recommend creating a set of Rewrite rules to accomplish the same task. There are three items to change:
And for those not familiar with NetScaler Rewrite rules, each change will consist of three parts:
And here they are:
NB: If you remove the AD Password rename, remember to remove the other corresponding actions
#Enable Rewrite Feature
enable ns feature REWRITE
#################
#Rewrite Actions#
#################
#Prevent automatic numbering
add rewrite action LoginPasswordNumber_delete_rewrite_action delete_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" -pattern "document.write(\' 1\');" -bypassSafetyCheck YES
#Rename AD Password (Optional)
add rewrite action LoginPassword1_replace_rewrite_action replace_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" q/"\"AD Password\""/ -pattern "_(\"Password\")" -bypassSafetyCheck YES
#Rename Password 2 (Recommended)
add rewrite action LoginPassword2_replace_rewrite_action replace_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" q/"\"2FA Passcode:\""/ -pattern "_(\"Password2\")" -bypassSafetyCheck YES
##################
#Rewrite Policies#
##################
add rewrite policy LoginPassword1_rewrite_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPassword1_replace_rewrite_action
add rewrite policy LoginPassword2_rewrite_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPassword2_replace_rewrite_action
add rewrite policy LoginPasswordNumber_delete_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPasswordNumber_delete_rewrite_action
##########################
#Rewrite Binding (Global)#
##########################
bind rewrite global LoginPassword1_rewrite_pol 80 NEXT -type RES_OVERRIDE
bind rewrite global LoginPassword2_rewrite_pol 90 NEXT -type RES_OVERRIDE
bind rewrite global LoginPasswordNumber_delete_pol 100 NEXT -type RES_OVERRIDE
#Flush the content cache, before testing
flush cache contentgroup all
The end result should look something like this:
Please note: I’m far from the first to do this (I.e., http://support.citrix.com/article/CTX123121). However, I struggled to get other peoples code to work properly and really didn’t want to change the files on the NetScaler – the above “just works” on 10.5 🙂