Citrix Access Gateway and Changing Passwords

Recently we had two Citrix Access Gateways (CAG) installed, replacing our software based Citrix Secure Gateway (CSG). The CAG is a hardware appliance (here’s the install guide while the CSG is a free software based solution that sits on a Windows box, but isn’t looked favourably upon anymore. Here’s a great article from Dan Brinkmann on that topic:

We ran into an issue where some new users couldn’t log in to the gateway, getting the generic error “Try again or contact your help desk”. Everyone loves a generic error…

Anyway, we worked out that it didn’t like accounts where the password had expired, or set to change at next logon. After setting the option on the CAG to allow users to change their password, it looked like it was fixed. The user was prompted to change their password, but when they tried it bombed out again with the same generic error Try again or contact your help desk”.

Restorting to Google at this stage, as I couldn’t find any logs or errors via the CAG web interface, I found that you need to set up your LDAP as a secure connection for this to actually work (over port 636 not 389). This also requires you to import your internal Root CA to the CAG.

Luckily Citrix doco had this covered, and here are the instructions:

That all worked! So, LDAP over port 389 insecurely will allow authentication only, but for password changes etc you’ll need to use port 636 and use a certificate.