Update 05-04-2021: Changed the loginschema to show the link above login button and changed script.js to match css.
Update 23-12-2021: Removed typo in the login schema, thanks Sander Bierman 😉
You are probably reading this as you found out the hard way that rewriting the logon page (AAA virtual server / authentication profiles) is not working/supported. But you do want that extra line in there 😉 Here’s a little tutorial explaining how to do this.
First you need to know that this only works when using custom login schema’s. So when this is needed on a gateway you need to use the authentication profiles features of the Citrix ADC. When you have this is place and working as expected you can continue.
Open the script.js file from your custom theme (located at /var/netscaler/logon/themes/<custom theme name>/script.js)
Add the following part: (Change the link and text to your own convenience)
// Custom Label Handler for Self Service Links
CTXS.ExtensionAPI.addCustomAuthLabelHandler({
getLabelTypeName: function () { return "nsg-custom-label"; },
getLabelTypeMarkup: function (requirements) {
return $("<label class=\"label plain\">Click <a style=\"text-decoration: underline;color: #0c559a;\" href=\"https://passwordreset.microsoftonline.com\">here</a> to change password.</label>");
},
// Instruction to parse the label as if it was a standard type
parseAsType: function () {
return "plain";
}
});
//Custom Credential Handler for Self Service Links
CTXS.ExtensionAPI.addCustomCredentialHandler({
getCredentialTypeName: function () { return "nsg-custom-cred"; },
getCredentialTypeMarkup: function (requirements) {
return $("<div/>");
},
});
Here a screenshot how it should look:
Now open your custom logon schema you are using within your authentication profile to edit it. It can by found in /flash/nsconfig/loginschema
Add the following line as last requirement: <Requirement><Credential><Type>nsg-custom-cred</Type><ID>passwd</ID></Credential><Label><Type>nsg-custom-label</Type></Label>
Here is an example of the created loginschema:
<?xml version="1.0" encoding="UTF-8"?> <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext/> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>singleauth_user_name</Text><Type>nsg-login-label</Type></Label><Input><AssistiveText></AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement> <Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>singleauth_password</Text><Type>nsg-login-label</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement> <Requirement><Credential><Type>nsg-custom-cred</Type><ID>passwd</ID></Credential><Label><Type>nsg-custom-label</Type></Label></Requirement> <Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>singleauth_log_on</Button></Input></Requirement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse>
Now open your authentication page and you should see the link inserted:
Tested on versions 12.1 and 13
Hi, i used your Blog to get a Link in our Login Page. But when i Use this string in the loginschema (nsg-custom-credpasswdnsg-custom-label) I got this error in my Netscler config GUI: Cannot read property ‘type’ of undefined
Here is my complete schema:
success
more-info
/nf/auth/doAuthentication.do
/nf/auth/doLogoff.do
Cancel
loginExplicitForms-Usernameusernameprefiluserfromexpr_user_namensg-login-labelprefiluserfromexpr_please_supply_either_domain\username_or_user@fully.qualified.domainfalsetrue${http.req.user.name}.+
passwdExplicitForms-Passwordpasswordprefiluserfromexpr_passwordnsg-login-labeltruefalse.+
noneprefiluserfromexpr_second_factornsg_confirmation
saveCredentialssavecredentialsprefiluserfromexpr_remember_my_passwordnsg-login-labelfalse
loginBtnnonenoneprefiluserfromexpr_log_on
Do you Have any Ideas for me?
Hi Tobias,
Use the CLI/WINSCP.
Best regards, Jeroen.
Hi Jeroen,
We are curently on NetScaler NS12.1: Build 62.27.nc and I tried to add the password reset link just as you stated but nothing shows up.
The script.js was empty and I pasted your code there ans changed the URL.
The I added the line in the login schema as second-last requirement. I noticed that it missed a “” at the end but it is in your coding.
Also I noticed that the “” in your code is before the loginBtn requirement. In the original code it was at the end. I played around with that but to no avail.
Could it be a problem with CSS?
Which portal theme are you using? Try the rfwebui.
We use a custom rfwebui
Hi Alex, the best you can do is create a new theme (based in rfwebui) and start from scratch.
We’ll do that, thanks anyway.
I created a custom theme based upon the RfWebUI theme. I entered the part in the first step in /var/netscaler/logon/themes//script.js, but I don’t have a custom logon theme file in /flash/nsconfig/loginschema.
I tried adding the line into /var/netscaler/logon/LogonPoint/LogonUI.html and /flash/nsconfig/loginschema/LoginSchema/SingleAuth.xml, but both didn’t work.
Do you know what I need to do?
Hi Mike, mandatory step is to use authentication profiles.
Thank you for this guide, it was really helpful, without this I would’ve used way more time to figure this out.
Is there a way to center the text under Login button? Not necessary, but would be a nice touch.
Yes that is possible. Just add the center tags ;).
Hi Jeroen, Thanks for the writeup, it’s great. I am trying to to upgrade the netscaler firmware to 13.1. we are on 13 train now. in order to do that i am currently working on 2 pre-requisites.
1. make use of RFWEBGUI theme as X1 is deprecated to be used in 13.1
2. convert basic policies to Advanced policies.
I need some help on number 1. I understand i need to use Nfactor Auth alongwith RFWEBGUI theme to achieve the required outcome. I followed citrix article to configure Nfactor. however i get error “not a privileged user” after login. i think that is because the domain field not specified and the session policy may be looking for domain cookie. I wanted to add the “domain” field (not the domain dropdown but just a domain field like Password e.g.) so users can enter the domain name and login. It looks like i would need to work through the script.js in the logon\custom folder , can you please help me with some tips on the code?
Hi. I have version 13.1 and my custom theme was done in gui and is not the default. I also use the authentication profile. However; all I have under “/flash/nsconfig/loginschema/” is a folder called LoginSchema with a bunch of XML files from 2 years ago. What is going on?
Thanks
I forgot to mention that I have the STANDARD version of the citrix gateway (not enterprise or platinum)…
Hello Jeroen,
thank you for the perfect tutorial. I have one question: is the change in loginschema visible immediately, or the restart of the appliance is required?
Should be shown immediately, but caching can be a PITA 😉
I am getting this error when I try to bind the custom schema.
Cannot read properties of undefined (reading ‘type’)
There is a typo in your schema then.
Hello, Did you ever resolve this issue? I am receiving the same error.
Thank you, this is super useful! We’ve been trying to have similar custom element show up *only* in the “Change Password” view (user tries to login, their password has been expired and they’re forced to change it), but to no avail.. Any special tips and tricks? Thanks again 🙂