NetScaler – Rename multiple password boxes to meaningful names

Posted on by Dan Herman

On a Citrix NetScaler, when you enable Two Factor Authentcation (2FA) for a VPN/CAG vServer, two password boxes are presented to the user with the somewhat meaningless names of “Password 1” and “Password 2”. This configuration is defined in a JavaScript file called “login.js” which defines some of the JavaScript functions for the logon page and process.

NetScaler Password Prompt (Original)

Some sources advocate manually amending login.js on the NetScaler to rename them, but there are several issues with this approach:

  • The login.js can be overwritten during firmware upgrades
  • The change is masked from the console, making it very easy to overlook during migrations or troubleshooting
  • The changes are not synchronised across HA pairs

    • Instead, I recommend creating a set of Rewrite rules to accomplish the same task. There are three items to change:

  • Remove the automatic numbering of the password boxes
  • Rename “Password 1” to “AD Password”
  • Rename “Password 2” to “2FA Password”

    • And for those not familiar with NetScaler Rewrite rules, each change will consist of three parts:

  • Action: This defines exactly what content we’re changing and to what
  • Policy: When to perform the action (I.e., only when returning login.js)
  • Binding: When to evaluate the Policy (E.g., all the time or only a specific vServer etc)

    • And here they are:
    NB: If you remove the AD Password rename, remember to remove the other corresponding actions


    #Enable Rewrite Feature

    enable ns feature REWRITE

    #################
    #Rewrite Actions#
    #################

    #Prevent automatic numbering
    add rewrite action LoginPasswordNumber_delete_rewrite_action delete_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" -pattern "document.write(\' 1\');" -bypassSafetyCheck YES

    #Rename AD Password (Optional)
    add rewrite action LoginPassword1_replace_rewrite_action replace_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" q/"\"AD Password\""/ -pattern "_(\"Password\")" -bypassSafetyCheck YES

    #Rename Password 2 (Recommended)
    add rewrite action LoginPassword2_replace_rewrite_action replace_all "http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)" q/"\"2FA Passcode:\""/ -pattern "_(\"Password2\")" -bypassSafetyCheck YES

    ##################
    #Rewrite Policies#
    ##################

    add rewrite policy LoginPassword1_rewrite_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPassword1_replace_rewrite_action
    add rewrite policy LoginPassword2_rewrite_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPassword2_replace_rewrite_action
    add rewrite policy LoginPasswordNumber_delete_pol "http.req.url.path.endswith(\"vpn/login.js\")" LoginPasswordNumber_delete_rewrite_action

    ##########################
    #Rewrite Binding (Global)#
    ##########################

    bind rewrite global LoginPassword1_rewrite_pol 80 NEXT -type RES_OVERRIDE
    bind rewrite global LoginPassword2_rewrite_pol 90 NEXT -type RES_OVERRIDE
    bind rewrite global LoginPasswordNumber_delete_pol 100 NEXT -type RES_OVERRIDE

    #Flush the content cache, before testing
    flush cache contentgroup all

    The end result should look something like this:

    NetScaler Password Prompt (Modified)

    Please note: I’m far from the first to do this (I.e., http://support.citrix.com/article/CTX123121). However, I struggled to get other peoples code to work properly and really didn’t want to change the files on the NetScaler – the above “just works” on 10.5 🙂

    Share

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.