When using client certificates – be it stored on a SmartCard or not – as an authentication method for NetScaler modules such as Access Gateway Enterprise or AAATM, the authentication profile allows you to automatically extract the Common Name (CN) and pre-populate the user name field in the login form. Also, it locks the field making it uneditable.
While this is a very handy feature, there are customers whose certificates come from a certificate authority other than an internal Active Directory CA, the result being that the Common Name in the certificate does not match the logon name in the Active Directory user account.
Now, you could simply disable this useful feature and have your users enter their user name and password. Not an option, I agree!
So let’s presume you have a common name “firstname.lastname123456″ in your certificate, your Active Directory account user name however is “first.lastname654321″. Looks simple, is simple:
Using WinSCP or if you are a CLI person directly use SSH, open and edit /netscaler/ns_gui/vpn/login.js.
Below line number 67 insert the following line:
Don’t forget these kind of customisations are not supported (but they are easy to revert) or reboot-persistent. Let me quote from parts of http://support.citrix.com/article/CTX126206:
Run to following command to create a directory to store the modified files:
Run the following commands to copy the modified files to the customization directory:
cp /netscaler/ns_gui/vpn/login.js /var/customizations/login.js.mod
If the /nsconfig/rc.netscaler file does not, then run the following command to create the file:
Run the following commands to add an entry for each command to the rc.netscaler file:
echo cp /var/customizations/login.js.mod /netscaler/ns_gui/vpn/login.js >> /nsconfig/rc.netscaler