To troubleshoot authentication with aaad.debug module, complete the following procedure:
- Connect to Citrix ADC (NetScaler) Gateway command line interface with a Secure Shell (SSH) client such as PuTTY.
- Run the following command to switch to the shell prompt:
shell - Run the following command to change to the /tmp directory:
cd /tmp - Run the following command to start the debugging process:
cat aaad.debug - Perform the authentication process that requires troubleshooting, such as a user logon attempt.
- Monitor the output of the cat aaad.debug command to interpret and troubleshoot the authentication process.
7. Stop the debugging process by pressing Ctrl+Z.
Run the following command to record the output of aaad.debug to a file:
cat aaad.debug | tee /var/tmp/<debuglogname>
Where /var/tmp is the required directory path and <debuglogname.log> is the required log name.
The output usually gives you a pretty good idea of what is going on. In this particular screenshot, I had a user who was trying to use the Citrix ADC change password feature. The output states that the first and second passwords do not match. I later discovered that Citrix ADC doesn’t do a validation check on the passwords, for matching or for complexity, so the user can put in different passwords or a password that doesn’t meet the environment’s complexity requirements and it will simply silently fail.