Troubleshooting login problems with Citrix Gateway

T

last updated: April 26 2022

I am currently creating a slide deck for a CUGC event on May 11. It will be about securing Citrix (NetScaler) Gateway. During my work, I wanted to find out, what the cookie NSC_VPNERR is good for. After a successful login, its value is set to 3 (Citrix ADC 13.0, it’s not documented).

With most of the current browsers, you have to press F12 to see the communication between the browser and the web server.

NSC_VPNERR cookie explained

In most cases of false logons, this cookie won’t be there, and that’s for good reason: why should we tell a hacker what’s wrong? We have to turn it on, to get more information about logon problems. Change authentication AAA settings for Citrix Gateway or AAA-Application Traffic. Turn on Enable Enhanced Authentication Feedback.

Don’t forget to turn it off after troubleshooting. You don’t need to be over-chatty to hackers!

troubleshooting authentication problems with Citrix NetScaler Gateway and AAA featureset aaa param -enableEnhancedAuthFeedback

Investigating a bit, I found James Gallagher’s blog. James said that a description of this value can be found in https://your.gateway.local/logon/themes/Default/resources/en.xml. That’s correct from the perspective of a hacker, as long as you don’t use a custom theme. Being the admin, I can find it at /var/netscaler/logon/<name of the theme>/resources/<language>.xml. That’s all the documented values:

  • 4001 Incorrect user name or password.
  • 4002 You do not have permission to log on.
  • 4003 Cannot connect to server. Try connecting again in a few minutes.
  • 4004 Cannot connect. Try connecting again.
  • 4005 Cannot connect. Try connecting again.
  • 4006 Incorrect user name.
  • 4007 Incorrect password.
  • 4008 Passwords do not match.
  • 4009 User not found.
  • 4010 You do not have permission to log on at this time.
  • 4011 Your account is disabled.
  • 4012 Your password has expired.
  • 4013 You do not have permission to log on.
  • 4014 Could not change your password.
  • 4015 Your account is temporarily locked.
  • 4016 Could not update your password. The password must meet the length, complexity, and history requirements of the domain.
  • 4017 Unable to process your request.
  • 4018 Your device failed to meet compliance requirements. Please check with your administrator.
  • 4019 Your device is not managed. Please check with your administrator.
  • 4021 Your account has expired.
  • 4027 KB Questions and Answers not registered

Successful login: 3 as well as some more information. This cookie will get sent every time you are able to log on successfully, independent of settings for .

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

Add comment

Recent Posts

Recent Comments