Web Interface,NetScaler
NetScaler 9_3,Web Interface 5_4
This article describes how to allow users to change password from Web Interface when using NetScaler Gateway and Web Interface.


This article describes how to allow users to change password from Web Interface when using NetScaler Gateway and Web Interface. NetScaler Gateway can be configured to allow users to change expired passwords if the user has completed a proper setup.

This article assumes that you are configuring NetScaler Gateway in either ICA Proxy mode or that you have set Web Interface as the homepage.


This article is applicable for password change, assuming that the user can log on successfully. This article cannot be used if "change password on next logon" is selected in the user profile (which is a common practice when new user accounts are created and the user must change password after logging on for the first time), unless you disable authentication on the VPN VIP.


  • Ensure that the LDAP server is properly set for secure LDAP (LDAPS) connections for the setup to work.
  • Download the NGWISSO.zip file from this article.

Caution! This customization affects the XenApp or XenDesktop SmartAccess functionalities of NetScaler Gateway such as:

  • Administrators cannot hide applications externally.

  • Administrators cannot disable or enable any XenApp or XenDesktop policies based on user access from NetScaler Gateway.


Configuring Web Interface Server to Allow Users to Change Password

  1. Create a Web Interface site and specify At Web Interface as a Point of Authentication, as shown in the following screen shot.

    User-added image

  2. Ensure that the Web Interface site launches applications successfully with the XenApp environment.

  3. Download the NGWISSO.zip file from this article.

  4. Extract the contents of NGWISSO.zip file.

  5. Navigate to the folder for which the name matches the version of the Web Interface version installed on the server.

  6. Open the Readme.txt file and complete the instructions available in the file to replace the login file.

  7. Open the Citrix Access Management Console for Web Interface.

  8. Select Configure Authentication Methods from Common Tasks, as shown in the following screen shot:

    User-added image

  9. Ensure that the Explicit option is selected in the Available methods list, as shown in the following screen shot and then click Properties.

    User-added image

  10. Expand the Explicit node in the Properties dialog box.

  11. Select Authentication Type and then select Settings.

    User-added image

  12. Type the domain information in the Domain list, select the Pre-populated option.

  13. Select the Hide Domain box radio button.

  14. Click OK.

    User-added image

    Note: Entering multiple domains into the domain list is currently not supported when you select Hide Domain box.

  15. Select Password Settings and configure the required option under Allow users to change password.

    User-added image

  16. Click OK in all the open dialog boxes.

  17. Test the Web Interface site without NetScaler Gateway and ensure that you can log on, start applications, and change the password.

Configuring NetScaler to Allow Users to Change Password

  1. Open the LDAP authentication profile and ensure that the following settings are enabled:

    1. Select Allow Password Change.

    2. Select TLS or SSL. If TLS is selected, use Port 389. For SSL, use port 636.
      For more information, refer to Citrix Documentation - Configuring LDAP Authentication.

      User-added image

  2. If everything is set correctly, you are prompted to change the password at the next logon (if required).??

    User-added image

    User-added image

Additional Resources

In order to support password expiration during authentication, the Bind DN account must also have read access to the PwdLastSet, UserAccountControl, and msDS-User-Account-Control-Computed attributes in the LDAP directory. For more information refer to CTX108876 ??- How to Configure LDAP Authentication on NetScaler.

For troubleshooting, failure to change expired password, refer to CTX114999 -?? How to Troubleshoot Authentication with aaad.debug.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support