Netscaler - WI login page not handling expired passwords, in the Network Performance / WAN Optimization forum on BrianMadden.com

Hi All,

I have a problem with authentication on our Netscaler. It talks back to our 2003 AD controllers over LDAPS when a user tries to authenticate on it's WI page.
If a user's account has been marked within AD as "user must change password on next logon" then the user is re-directed to a change password screen when they login.
However if the password just expires 'naturally' then they just see an incorrect user/password message.

I would have thought that these two scenarios would be similar from an LDAP perspective. I've run a packet capture, but am a bit stuck trying to decode the SSL in Wireshark.

Anyone have any pointers, either to the problem as a whole, or as to which certificate/key on the Netscaler I should grab to decode the LDAPS conversation?

Many thanks,
Julian Luton

I can not think of why this would be the case. The only question I have is are you load balancing or have you inserted several domain controllers (for failover purposes) into your VServer. All I can think of is if it is load balancing or failing over to a DC that does not have a SLDAP certificate installed on it.

I would recommend calling Citrix about this one as it seems like the SLDAP maybe connecting correctly so if that is the case, it maybe an issue with the build you have on your NetScaler maybe.

In relation to certificates, all your certificates will reside on your domain controllers with only the root installed on your Netscaler. So if you need any certs, you need to get them from the DC.

Sorry I could not be more help.