Sunday, September 20, 2015

How to Add a Domain Name Drop-Down for NetScaler Gateway 11

You may have a scenario where users might need to authenticate to different authentication servers (LDAP Domain Controllers) based on their domain. This article describes how to add a drop-down menu with domain names on the logon page for NetScaler Gateway version 11, and have the NetScaler send the authentication request to the appropriate server. While Citrix Support Article CTX118657 describes a procedure to add domain names to the NetScaler logon page, the article is targeted for NetScaler firmware version 10.x, and will not work with version 11.
Citrix has actually added built-in support for a domain drop-down in version 11, but it is not quite fully functional. With a little bit of tweaking, however, it can be up and running in no time.
Note: The following modifications are provided as-is, and are not officially supported by Citrix Tech Support. You may be asked to reverse these changes when calling in for support.
CTX118657 contains four sections:
  • Create the drop-down menu with the list of domain names
  • Create a cookie on the user’s computer with the domain selected by the user
  • Create a procedure to ensure that the modifications will survive a reboot
  • Modify the authentication policy to be selected based on the cookie created
In this post, we will deal with the first two sections. Please refer to the support article for the remaining two sections.

Create the drop-down menu with the list of domain names
The first step is to give NetScaler the list of domain names. To do that, open PuTTY session to the NSIP of your NetScaler, and issue the following command:
> set vpn vServer "<AG vServer>" –userDomains Domain1,Domain2,Domain3

Now fire up WinSCP and go to the directory /netscaler/ns_gui/vpn/js.
Make a backup copy of gateway_login_form_view.js, and search for:
The correct cookie name should be userDomains:
At this point, if you saved the file, and refreshed the NetScaler logon screen, you would see the domain drop-down:
You may notice that there are still two issues … while the drop-down is now being displayed (and there is an entry corresponding to each domain), all the entries are blank!
The second issue is more of a cosmetic issue … the screen would look a lot better if the length of the drop-down was the same as the text boxes above it.
To correct the first issue, go back to gateway_login_form_view.js and search for:
The reason that the entries are blank is because the second attribute is incorrect. It should be “text”:
Alternatively, either of the following lines would also work:

var option = '<option value="' + domains[j] + '">' + domains[j] + '</option>';
var option = $("<option></option>").val(domains[j]).html(domains[j]);  
Now save the file and refresh the logon page. We now have our drop-down populated with our domains:
However, we want to stretch the drop-down to match the length of the text boxes above. We can do that by adding cascading style sheet (CSS) overrides for the height and width of the drop-down. There are 3 built-in themes with NetScaler 11 – Default, Greenbubble, and X1, and the overrides are different for each theme.
In WinSCP, browse to each theme directory, /var/netscaler/logon/themes/<theme>/css/, and create a file called custom.css. Insert the appropriate override values for each theme.
For the default theme, insert:
.domain_select {
       width: 176px;
       height: 23px;

For the Greenbubble theme, insert:
.domain_select {
       width: 208px;
       height: 28px;

For the X1 theme, insert:
.domain_select {
      width: 361px;
      height: 42px;

After saving custom.css, our domain drop-down is now aligned with the rest of the input fields:
Default theme
Greenbubble theme

X1 Theme

Now that we’ve completed the drop down, let’s move on to the next section.
Create a cookie on the user’s computer with the domain selected by the user
Fire up WinSCP and make a backup of /netscaler/ns_gui/vpn/login.js.

Add the following JavaScript functions after the first line where indicated above:
 function getCookie(name) {
    // use: getCookie("name");
    var re = new RegExp(name + "=([^;]+)");
    var value = re.exec(document.cookie);
    return (value != null) ? unescape(value[1]) : null;  }

  var today = new Date();
  var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // +28 days
  var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours

  function setCookie(name, value) { 
    // use: setCookie("name", value);
    document.cookie=name + "=" + escape(value) + "; path=/; expires=" + 

  function setDomainCookie(form) {
    setCookie("domainvalue", form.domainvalue.value);
    return true;
Save the file. Now go back to gateway_login_form_view.js (in the js directory).
Look for the line beginning var form = …  At the end of the line, you should see:
Add setDomainCookie(this); right before clean_name_cookie(); (you can optionally also correct the ‘margin’ typo!). This tells the NetScaler to save the user's domain selection before submitting the page.
Save the file.
Now go back to CTX118657, and follow the last 2 sections to complete the modification.