In this article we are going to configure password change through Citrix Netscaler, which is very handy nowadays that a lot of people work from home and are rarely in the office. The steps are very simple but you should always think what the impact of the change could be before blindy following my screenshots.

First of all, you need a certificate on the Domain Controller(s). Since Microsoft does not allow plaintext password change through port 389, you need a certificate for the SSL Port 636. This can be achieved with an internal Certificate Authority. Check my article here: https://www.ajni.it/2020/08/active-directory-certificate-services-ad-cs-on-windows-server-2019/

There is a quick way with a self signed certificate, but I would recommend using a Certificate Authority.

New-SelfSignedCertificate -DnsName dc01, dc01.ajni.it, dc02, dc02.ajni.it -CertStoreLocation cert:\LocalMachine\My

You can also insert multiple Subject Alternative Names separated by comma, that might include two or more Domain Controllers like in the example above.

Testing can be done with lpd.exe, make sure that the newly generated certificate is also placed in the Trusted Root Certificate Authorities.

In Citrix Netscaler go to Citrix Gateway > Virtual Servers > Select the VIP > Primary Authentication > Select the LDAP Policy:

Edit Server

Select SSL under Security Type and Port 636

Further down, select Allow Password Change.

In Citrix Storefront, make sure Password Change is enabled:

The password reminder can also be enabled.

That’s it. Make sure your NetScaler Config is saved!

References:

https://c4rm0.wordpress.com/netscaler-allow-user-ad-password-changes/

https://anandthearchitect.com/2019/10/10/active-directory-self-signed-certificate-for-ldaps/