How to Allow Users to Change Passwords When Using NetScaler Gateway and Web Interface

This article describes how to allow users to change password from Web Interface when using NetScaler Gateway and Web Interface. NetScaler Gateway can be configured to allow users to change expired passwords if the user has completed a proper setup.

This article assumes that you are configuring NetScaler Gateway in either ICA Proxy mode or that you have set Web Interface as the homepage.

Background

This article is applicable for password change, assuming that the user can log on successfully. This article cannot be used if "change password on next logon" is selected in the user profile (which is a common practice when new user accounts are created and the user must change password after logging on for the first time), unless you disable authentication on the VPN VIP.

Requirements

• Ensure that the LDAP server is properly set for secure LDAP (LDAPS) connections for the setup to work.
• Download the NGWISSO.zip file from this article.

Caution! This customization affects the XenApp or XenDesktop SmartAccess functionalities of NetScaler Gateway such as:

• Administrators cannot hide applications externally.

• Administrators cannot disable or enable any XenApp or XenDesktop policies based on user access from NetScaler Gateway.

Configuring Web Interface Server to Allow Users to Change Password

1. Create a Web Interface site and specify At Web Interface as a Point of Authentication, as shown in the following screen shot.

   

2. Ensure that the Web Interface site launches applications successfully with the XenApp environment.

3. Download the NGWISSO.zip file from this article.

4. Extract the contents of NGWISSO.zip file.

5. Navigate to the folder for which the name matches the version of the Web Interface version installed on the server.

6. Open the Readme.txt file and complete the instructions available in the file to replace the login file.

7. Open the Citrix Access Management Console for Web Interface.

8. Select Configure Authentication Methods from Common Tasks, as shown in the following screen shot:

   

9. Ensure that the Explicit option is selected in the Available methods list, as shown in the following screen shot and then click Properties.

   

10. Expand the Explicit node in the Properties dialog box.

11. Select Authentication Type and then select Settings.

    

12. Type the domain information in the Domain list, select the Pre-populated option.

13. Select the Hide Domain box radio button.

14. Click OK.

    

    Note: Entering multiple domains into the domain list is currently not supported when you select Hide Domain box.

15. Select Password Settings and configure the required option under Allow users to change password.

    

16. Click OK in all the open dialog boxes.

17. Test the Web Interface site without NetScaler Gateway and ensure that you can log on, start applications, and change the password.

Configuring NetScaler to Allow Users to Change Password

1. Open the LDAP authentication profile and ensure that the following settings are enabled:

   1. Select Allow Password Change.

   2. Select TLS or SSL. If TLS is selected, use Port 389. For SSL, use port 636.
      For more information, refer to Citrix Documentation - Configuring LDAP Authentication.

      

2. If everything is set correctly, you are prompted to change the password at the next logon (if required).??

   

   

In order to support password expiration during authentication, the Bind DN account must also have read access to the PwdLastSet, UserAccountControl, and msDS-User-Account-Control-Computed attributes in the LDAP directory. For more information refer to CTX108876 ??- How to Configure LDAP Authentication on NetScaler.

For troubleshooting, failure to change expired password, refer to CTX114999 -?? How to Troubleshoot Authentication with aaad.debug.