last updated: April 26 2022
I am currently creating a slide deck for a CUGC event on May 11. It will be about securing Citrix (NetScaler) Gateway. During my work, I wanted to find out, what the cookie NSC_VPNERR is good for. After a successful login, its value is set to 3 (Citrix ADC 13.0, it’s not documented).
With most of the current browsers, you have to press F12 to see the communication between the browser and the web server.
In most cases of false logons, this cookie won’t be there, and that’s for good reason: why should we tell a hacker what’s wrong? We have to turn it on, to get more information about logon problems. Change authentication AAA settings for Citrix Gateway or AAA-Application Traffic. Turn on Enable Enhanced Authentication Feedback.
Don’t forget to turn it off after troubleshooting. You don’t need to be over-chatty to hackers!
set aaa param -enableEnhancedAuthFeedback
Investigating a bit, I found James Gallagher’s blog. James said that a description of this value can be found in https://your.gateway.local/logon/themes/Default/resources/en.xml. That’s correct from the perspective of a hacker, as long as you don’t use a custom theme. Being the admin, I can find it at /var/netscaler/logon/<name of the theme>/resources/<language>.xml. That’s all the documented values:
- 4001 Incorrect user name or password.
- 4002 You do not have permission to log on.
- 4003 Cannot connect to server. Try connecting again in a few minutes.
- 4004 Cannot connect. Try connecting again.
- 4005 Cannot connect. Try connecting again.
- 4006 Incorrect user name.
- 4007 Incorrect password.
- 4008 Passwords do not match.
- 4009 User not found.
- 4010 You do not have permission to log on at this time.
- 4011 Your account is disabled.
- 4012 Your password has expired.
- 4013 You do not have permission to log on.
- 4014 Could not change your password.
- 4015 Your account is temporarily locked.
- 4016 Could not update your password. The password must meet the length, complexity, and history requirements of the domain.
- 4017 Unable to process your request.
- 4018 Your device failed to meet compliance requirements. Please check with your administrator.
- 4019 Your device is not managed. Please check with your administrator.
- 4021 Your account has expired.
- 4027 KB Questions and Answers not registered
Successful login: 3 as well as some more information. This cookie will get sent every time you are able to log on successfully, independent of settings for .