For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gilles_LHérault's avatar
Gilles_LHérault
Icon for Nimbostratus rankNimbostratus
Sep 25, 2015

Citrix PNAgent password change failure

Allright I’m going to try and keep this short since it’s quite a complicated issue.

 

We have a VS, called https://citrix.mycompany.com

 

APM is enabled on it since it handles all our citrix traffic. One type of traffic is the old legacy PNAgent traffic. It’s handled with a branch in the policy that detects the string “PNAMAIN” in the user-agent of the http message and lets it through without any other intervention. No authentication no rewrites just a simple pass-through.

 

The URL in production is https://citrix.mycompany.com/citrix/pnagent/config.xml but since we can only troubleshoot in production (don’t ask  ) we created a separate web site for testing @ https://citrix.mycompany.com/citrix/pnagentTEST/config.xml

 

The problem: Users can connect and do their thing just fine but when their password expires, the PNAgent prompts them to change them but the “here’s my new password” message nevers makes it to the pool members (the citrix web interface).

 

I say it never makes it but in thruth I don’t know. To complicate matters, the VS is SSL incoming and SSL going out to the pool members. Tracing is exceedingly hard since both the pool members and the BigIp itself have been up for a while and as you know, to decrypt a TCPdump you need to capture the initial key echange and that happened and was cached long ago. So I don’t really know what the message going out the F5 and into the web interface looks like. What I do know is that if I change the URL from https://citrix.mycompany.com/citrix/pnagentTEST/config.xml to https://HOSTNAME.mycompany.com/citrix/pnagentTEST/config.xml (where host name is the actual server name of one of the pool member) it works!! Password change is successful!

 

So that means the config on the citrix side is ok!

 

Here’s what a successful exchange looks like:

 

POST https:// https://HOSTNAME.mycompany.com/citrix/pnagentTEST/change_password.aspx HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: C:\PROGRA~1\Citrix\ICACLI~1\PNAMAIN.EXE Host: HOSTNAME.mycompany.com Content-Length: 304 Connection: Keep-Alive Cache-Control: no-cache Cookie: LotsOfStuffhere but it should not cause a 404 right ?!!

 

DOMAIN\USERNameAsdf1234Qwer1234

 

And the response...

 

HTTP/1.1 200 OK Cache-Control: no-store Pragma: no-cache Content-Length: 189 Content-Type: text/xml; charset=UTF-8 Expires: Mon, 01 Jan 1990 12:00:00 GMT Server: Microsoft-IIS/7.5 Date: Thu, 17 Sep 2015 17:17:18 GMT

 

 

When the same message goes through the https://citrix.mycompany.com/citrix/pnagentTEST/change_password.aspx VS, it gets a 404 response and that’s the end of it!

 

I don’t even have the beginnings of a theory on why and how that can be! The URL is valid so it should not 404 on me!

 

Any help will be greatly appreciated!

 

Cheers!

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iApps
LTM
microsoft
performance
security
No RepliesBe the first to reply