Access Gateway Enterprise – Disabling cookies prevents the secondary authentication field displaying

A

As expected this blog has gone a significant amount of time without update. This is mostly because I’ve not had anything particularly interesting to say.

So yesterday an Access Gateway Enterprise question was posed to me so I thought I would run through it in case anyone else encounters the same problem. It may not be that interesting

Issue

A user reported that the secondary authentication field was not displaying when they browsed the Citrix Access Gateway Enterprise logon page. This particular user was using an IPhone but this is incidental and the issue would have occurred for any user with the same browser settings.

 

While only the first authentication field displayed due to the Access Gateway Enterprise VServer configuration users could not log on using just this password and an access denied error would be displayed if they attempted to logon.

 

In this example I’ve used Firefox, I’ve done this because it’s got some useful add ons to further illustrate the issue.

When Accessing an Access Gateway Enterprise Vserver with two factor authentication configured (one of more authentication policies bound to the primary and secondary authentication parameters of the VServer.) a user should see the following:

If cookies are disabled within Firefox they will see the following – This shows only a single password field.

Uncheck ‘Accept cookies from sites’ and refresh the page

Click more for an explaination..

This issue will occur if cookies are disabled as the logon fields are displayed as a result the login.js scripts attempting to check a cookie called ‘pwcount’.

This cookie is set with a value of 0 or 2 dependant on the authentication policies applied. If only a primary authentication policy is applied a value of zero will be set on this cookie, if a secondary and primary are applied the cookie will be set to a value of 2. In this example configuration all clients should always require two factor authentication.

Because of the way the login.js works (shown below in bold) if the pwcount cookie value is not set to 2 only the primary authentication field is displayed – there is no error checking here as it has not been written to copy with the possibility that no cookie has been set at all.

Login.js (line 87 onwards)function ns_showpwd()function ns_showpwd(){var   pwc = ns_getcookie(“pwcount”);

document.write(‘<TR><TD   align=right style=”padding-right:10px;white-space:nowrap;”><SPAN  >’ + _(“Password”));

if (   pwc == 2 ) { document.write(‘&nbsp;1’); }

document.write(‘:</SPAN></TD>’);

document.write(‘<TD   colspan=2 style=”padding-right:8px;”><input   type=”Password” title=”‘ + _(“Enter   password”) + ‘” name=”passwd” size=”30″   maxlength=”32″   style=”width:100%;”></TD></TR>’);

if ( pwc == 2 ) {

document.write(‘<TR><TD   align=right   style=”padding-right:10px;white-space:nowrap;”><SPAN  >’ + _(“Password2″) + ‘</SPAN></TD>   <TD colspan=2 style=”padding-right:8px;”><input   type=”Password” title=”‘ +   _(“Enter password”) + ‘” name=”passwd1″   size=”30″ maxlength=”32″   style=”width:100%;”></TD></TR>’);

}

UnsetCookie(“pwcount”);

}

This means if there is no cookie at all it will also default to only displaying the ‘passwd’ field without the ‘passwd1’ field.

Potentially to help get around this issue for unsuspecting users a small piece of javascript could be written to set a test cookie to a static value and then check the test cookie to see if it’s set and display a message along the lines of “please enable cookies”.

Not the most interesting post but I’m assuming if you read this far you at least found it of some interest.

About the author

Stu Carroll

Citrix CTA & Director of Enterprise Technologies @ Coffee Cup Solutions

1 Comment

  • Interesting you should be tilkang about this I was tinkering with it the other day while looking at how to make a Citrix equivalent of Microsoft’s Remote Desktops MMC based tool. Where are the latest builds? Is there any documentation for it? I wouldn’t be surprised that if we made it available somewhere under a sensible license (assuming we haven’t already) developers would come up with some interesting apps.

By Stu Carroll

Stu Carroll

Citrix CTA & Director of Enterprise Technologies @ Coffee Cup Solutions

Get in touch

Need help? Get in touch

Secured By miniOrange