When users need to change their password when using the NetScaler Gateway you can use the option: Allow Password Change, which can be set when configuring the LDAP authentication.
The Password change option is only allowed when you communicate using LDAPS (port 636) or LDAP-TLS (port 389), but you have to make sure your Domain controller also uses LDAPS or LDAP-TLS. I will use the LDAPS on port 636.
Before you can start make sure you have a CA in your network and the Domain Controller has a Certificate, install this certificate on the NetScaler using the following article: http://www.vdnieuwenhof.eu/2013/09/install-iis-certificate-on-citrix-netscaler-10-1/ You can use the root certificate for this, then you don’t need to install the certificate from all the domain controllers.
After you installed the certificate on the NetScaler edit the LDAP settings on the NetScaler go to: NetScaler Gateway > Policies> Authentication/Authorization> Authentication> LDAP and then Servers tab and then edit the LDAP server.
- IP address: your Domain Controller
- Port: 636
- Base DN: dc=subdomain,dc=domain,dc=nl
- Administrator Bind: Administrator account
- Server Logon Attribute: sAMAccountName/UserPrincipalName
- Security Type: SSL
- Allow Password Change: Checked
I hope this helps.