NetScaler: Customize logon screen

When configuring the NetScaler for our customer they liked to have some modifications made to the logon screen:

  • “Password 1” and “Password 2” need to be “Password” and “Token ID”.
  • the Citrix Receiver Image needs to be replaced with their company logo.

To meet this we need to change some files on the NetScaler, first I will show how to change the logon screen from “Password 1” and “Password 2” to the new “Password” and “Token ID”.

Default
This is the default when using secondary logon.

Connect to the NetScaler with WinSCP and download the following files:

  1. /var/netscaler/gui/vpn/login.js
  2. /var/netscaler/gui/vpn/resources/en.xml

Edit the login.js file and change the following:

  1. Go to the function ns_showpwd()
  2. Find: if ( pwc == 2 ) { document.write(‘ 1’); }
  3. Change it to: if ( pwc == 2 ) { document.write(‘ ’); }
    Or just remove the “1“.
  4. Save the file.

Edit the en.xml file and change the following:

  1. Go to:
    <String id=”Password”>Password</String>
    < String id=”Password2”>Password 2:</String>
  2. Change Password 2 into Token ID
    <String id=”Password”>Password</String>
    <String id=”Password2″>Token ID:</String> 
  3. Save the file.

Now copy both files back to the original location and test the logon page.

Token ID
The new logon screen.

But when you reboot the appliance you will notice the files are back to their original state, to make sure this works even when rebooting the appliance do the following.

  1. Create the directory /var/ns_gui_custom:
    mkdir /var/ns_gui_custom
  1. Create the customtheme.tar.gz file by running the following commands:
    cd /netscaler
    tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
    The customtheme.tar.gz contains all the file for the custom theme and is a copy of the /var/netscaler/gui/ directory, when selecting the Custom theme it is extracted.
  2. Change the theme to Custom
    1. logon to the GUI
    2. Expand the NetScaler Gateway.
    3. select Global settings.
    4. select change global settings.
    5. go to client experience
    6. change the theme to Custom.
    7. save the configuration and reboot.

When you reboot the NetScaler the files are copied back and the Login Screen is displayed correct.

The customer also wanted to replace the ” Citrix Receiver” logo with their own logo, to do this we need to do the following:

  1. Change back to the bubble theme.
  2. Repeat the steps for changing the password. 
  3. Create a .PNG file with the following details:
    1. Name: logo_notagline.png
    2. Size: 215 x 51 (when you want it bigger you also need to change the ctxs.authentication.css which can be found in /var/netscaler/gui/vpn/css)
  4. Copy the file to:
    var/netscaler/gui/media
  5. Run the following command to create a new customtheme.tar.gz file:
    cd /netscaler
    tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
  6. Change the theme to Custom
    1. logon to the GUI
    2. Expand the NetScaler Gateway.
    3. select Global settings.
    4. select change global settings.
    5. go to client experience
    6. change the theme to Custom.
    7. save the configuration and reboot.

Now the logo is the company logo and even when the server is rebooted the logo is copied and it keeps working.

NetScaler: Using groups membership to Authenticate

When using the NetScaler Gateway 10.x and you need to allow remote users access based on their group membership, you can use the Active Directory groups. To configure this create an Active Directory group and set the following settings on the LDAP server within the NetScaler go to: NetScaler Gateway > Policies> Authentication/Authorization> Authentication> LDAP and then Servers tab and then edit/create the LDAP server:

Connection Settings:

  • IP address: your Domain Controller
  • Port: 389
  • Base DN: dc=subdomain,dc=domain,dc=nl
  • Administrator Bind: Administrator account

Other Settings:

  • Server Logon Attribute: sAMAccountName/UserPrincipalName
  • Search Filter: memberOf=CN=XenDesktop Remote ,OU=Groups,OU=Resources, DC=subdomain,dc=domain, DC=nl
  • Group Attribute: memberOf
  • Sub Attribute Name: CN
  • Security Type: PLAINTEXT

Nested Group Extraction:

  • Maximum Nesting Level: 2
  • Group Name Identifier: sAMAccountName/UserPrincipalName
  • Group Search Attribute: memberOf
  • Group Search Sub-Attribute: CN
  • Group Search Filter: <BLANK>

Groups

I Hope this helps you.

NetScaler: Allow Password Change

When users need to change their password when using the NetScaler Gateway you can use the option: Allow Password Change, which can be set when configuring the LDAP authentication.

The Password change option is only allowed when you communicate using LDAPS (port 636) or LDAP-TLS (port 389), but you have to make sure your Domain controller also uses LDAPS or LDAP-TLS. I will use the LDAPS on port 636.

Before you can start make sure you have a CA in your network and the Domain Controller has a Certificate, install this certificate on the NetScaler using the following article: http://www.vdnieuwenhof.eu/2013/09/install-iis-certificate-on-citrix-netscaler-10-1/ You can use the root certificate for this, then you don’t need to install the certificate from all the domain controllers.

After you installed the certificate on the NetScaler edit the LDAP settings on the NetScaler go to: NetScaler Gateway > Policies> Authentication/Authorization> Authentication> LDAP and then Servers tab and then edit the LDAP server.

  • IP address: your Domain Controller
  • Port: 636
  • Base DN: dc=subdomain,dc=domain,dc=nl
  • Administrator Bind: Administrator account
  • Server Logon Attribute: sAMAccountName/UserPrincipalName
  • Security Type: SSL
  • Allow Password Change: Checked

Allow Password Change

I hope this helps.

Install IIS certificate on Citrix Netscaler 10.1

In our test environment I recently used an existing SSL Wildcard certificate for making the Netscaler available external, to accomplish this I needed to export the certificate from a IIS server and import the certificate into the Netscaler. When using StoreFront 2.0 which also advises you to use a SSL certificate you also need this certificate imported into the Netscaler.

SSL Export-Import (1)

Exporting the Certificates

To use the exported files we need to export the Certificate two times, one time with the private key and one time without.

1. Right click the certificate and select “All Tasks” then select “Export“. Follow the wizard and choose option ” Yes, export the private key” and continue the wizard. When you don’t get the option to export the private key, the issue a new certificate with the private key export option.

 SSL Export-Import (3)

 2. When you received the option to export the private key, you now should receive the PKCS #12 (.PFX) options, uncheck all the options, click “Next” and choose a password and filename and export the Certificate.  Choose a filename that’s looks like the certificate name, because the netscaler will store the files with the names you choose. When using something like “certificate.pfx” this could get confusing in time.

SSL Export-Import (4)

 After we exported the certificate for the first time we now need to export it again. Continue reading “Install IIS certificate on Citrix Netscaler 10.1”