NetScaler N-Factor flows discontinued, what now

By Johannes Norz
18 July 2025
3 Min read
In Uncategorised
Add comment
N

Citrix has announced that the N-Factor Flow Visualizer will no longer be supported in the NetScaler ADC. I personally liked to design my N-Factor Flows using this visualizer, because it is convenient and hides the complexity of N-Factor. I also recommended that my customers design their multifactor authentication using this flow designer.

However, later versions of NetScaler 14.1 shows N-Factor Flows as deprecated. Is this a problem? Yes, it is. But only for my reputation. It’s not a problem for my customers. I’ll explain why.

How N-factor flows made by the Visualizer work

n-factor Flows on my NetScaler

As you see, I currently have one N-Factor Flow, designed using the visualizer. And that’s my flow:

My n-factor flow, designed by using the depreciated N-Factor Flow Visualizer

So you see, it has 3 stages:

  • logon_dialogue with a schema prof_domain_dropdown bound.
  • logon2earth, no schema.
  • logon2moon, no schema.

Now, let’s have a look at the policy labels:

That’s odd: No labels, but a total of 3? Doesn’t make sense. But that’s the GUI. The truth can only be found in ns.conf. What’s in it?

We can see, there are 3 policy labels. All have the name I gave them, but followed by two underscores. The first one ends in __root, the other two end in __logon_dialogue.
This is the usual behaviour of the Visualizer. You can simply try it out: Create a policy label with the command add authentication policylabel testflow__root and you will see this flow in the GUI, but once again: Not the policy label because it will be hidden.

Let’s rename my existing logon_dialogue__root to logon_dialogue. I do this by opening the existing ns.conf with Notepoad++ (or any other editor you like) and replacing all occurrences of the word logon_dialogue__root with logon_dialogue. Then I reboot the NetScaler.

Moving from Citrix NetScaler N-Factor Visualizer to new N-Factor flows

As you can see, all three policy labels are now actually visible. The N-Factor Flow has disappeared from the Visualizer. My N-Factor flow is now a normal N-Factor flow, exactly how it would look if I hadn’t made it with the Visualizer! For cosmetic reasons, I could also remove the __logon_dialogue and nobody would be able to see that the flow was originally made with the Visualizer. I think it’s pointless to say that the flow still works!

What Citrix says

https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/multi-factor-nfactor-authentication/nfactor-authentication-simplification.html(source: Citrix NetScaler knowledge base, screen shot taken July 18th 2025)

Now that we know the technical background of the Visualizer, it is not surprising and absolutely credible when Citrix promises to continue to support flows made with the Visualizer. Simply because, apart from the naming of the objects, they do not differ in the slightest from flows made without it.

I would even go one step further: You can continue to use the Visualizer to design your N-Factor Flows with complete peace of mind!

 

FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 18 July 2025
Add comment

Recent Posts

Recent Comments