Uncommon Names

When using client certificates – be it stored on a SmartCard or not – as an authentication method for NetScaler modules such as Access Gateway Enterprise or AAATM, the authentication profile allows you to automatically extract the Common Name (CN) and pre-populate the user name field in the login form. Also, it locks the field making it uneditable.

While this is a very handy feature, there are customers whose certificates come from a certificate authority other than an internal Active Directory CA, the result being that the Common Name in the certificate does not match the logon name in the Active Directory user account.

Now, you could simply disable this useful feature and have your users enter their user name and password. Not an option, I agree!

NetScaler uses JavaScript to insert the CN string into the field. JavaScript is quite powerful and what it certainly can do is text manipulation.

So let’s presume you have a common name “firstname.lastname123456″ in your certificate, your Active Directory account user name however is “first.lastname654321″. Looks simple, is simple:

Using WinSCP or if you are a CLI person directly use SSH, open and edit /netscaler/ns_gui/vpn/login.js.

Below line number 67 insert the following line:

That is it! Admitted, this was a simply text transformation. Now that you know where to start, for more complex operations, check out http://www.w3schools.com/js/js_obj_string.asp or any JavaScript tutorial out there.

Don’t forget these kind of customisations are not supported (but they are easy to revert) or reboot-persistent. Let me quote from parts of http://support.citrix.com/article/CTX126206: