Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Two-factor authentication for Citrix Receiver for Windows

I have deployed F5 APM with two-factor authentication. APM is currently replacing the Web Interface / Storefront servers. Two-factor authentication is confirmed working for the Webtop, Citrix Receiver for Mac, Citrix Receiver for iOS and Citrix Receiver for Android. My issue is that Citrix Receiver for Windows doesn't appear to have the necessary options to select the Logon type of "Security token only" or "Domain and security token" like the Receiver for other OS's do. I suspect that Citrix Receiver for Windows requires some kind of configuration push from the server (which in my case is APM). Has anyone else experienced this issue or have any ideas?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have not seen standalone Windows Citrix Receiver to be able to leverage two-factor authentication. I just searched again and could not find any Citrix documentation regarding such support or enabling standalone Windows Receiver to work with two-factor. If you have any tidbits indicating otherwise, please share - else, if you desire two-factor authentication, your best bet is to start all sessions from the WebTop.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Michael,

It is mentioned in the support documentation here: Receiver for Windows Requirements

It is also confirmed in the comments of this blog post (at the bottom), by the author of the original post: Receiver for Windows 4.0 Released

It is mentioned both places that NetScaler Gateway and StoreFront are required. I am looking for a way to emulate this with F5 APM/LTM and/or iRules.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I certainly do fully trust and respect the information provided by Citrix in those articles, but they do not explain how to configure Citrix environment to take advantage of that. If Citrix says it's supported, then they need to provide documentation to their customers on how to enable/configure this option. If you come across such documentation/information, please post it here and we will gladly investigate.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael

Ill try and dig something up. We currently have two factory authentication working from the Windows 8 Citrix Receiver client, back to a Netscaler Gateway, with Storefront.

We have currently working through and evaluation of F5, with APM, etc - for the purpose of replacing the Citrix solution...

So I can confirm it is possible; I know from the engineer that completed it; it wasnt pretty making it work; but it was possible - Ill see what I can find.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I would also be interested in this

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you come across config details that were done on StoreFront/Netscaler to make this work, please post them here. I am not able to find any details on how to configure this anywhere. :(

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael

In short; on the Citrix Access Gateway (VPX).

  • Created a Virtual Server...
  • Added Primary Authentication, Windows LDAP
  • Added Secondary Authentication, Radius for Token
  • Added a new policy - WindowsRT_policy
    • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS WindowsRT
    • Create a new Profile - WindowsRT_profile
    • Network Configuration
      • Not Configured
    • Client Experience
      • Home Page = None
      • Split Tunnel = Off
      • Session Time Out = 30
      • Client Access = Allow
      • Client Access URL Encoding = Obscure
      • Client Access Persistent Co.. = Allow
      • Plug-In Type = Windows/mac OS-X
      • Single Sign on to Web Applications = Ticed
      • Credential Index = Primary
      • Single Sign On with Windows = Unticked
      • Client Clean up prompt = Ticked
    • Security
      • Default Athorization Action = Allow
      • Secure Browse = Ticked
    • Published Application
      • ICA Proxy = On
      • Web Interface Address = https:///Citrix/UnisonWeb
      • Web Interface Portal Mode = Normal
      • Single-Signon Domain =
  • Added new Policy - Ipad_policy
    • Added the expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS ipad
    • Create a new Profile - IPad_profile
    • Network Configuration
      • Not Configured
    • Client Experience
      • All settings as per Windows Profile
    • Security
      • All settings as per Windows Profile
    • Published Application
      • Web Interface Address = https://spctxstore1.unison.co.nz/Citrix/Unison/PNAgent/config.xml
      • All other settings as per Windows Profile

So within the Windows 8 metro application we are presented with Username, Password and Token fields... same applies to the ipad.

Ideally it would be over two screens, to allow us to use the F5 token feature...

Hope that helps?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks, David. Curious about your Windows 8 Receiver line - did you edit out the hostname from it? It appears that Netscaler is configured to hit StoreFront Web store, not the "native" Store. Is that correct?

If you want to use our OTP/token built-in feature, I would suggest directing the users to access your Citrix environment from the browser first - that way it is VERY easy for us to build a policy that will successfully perform two-factor authentication(especially our own) in stages as you desire. As far as I know, Citrix's native two-factor capabilities with Receiver do not allow for an [easy] integration with one-time tokens that are delivered via SMS/email after supplying the user's account info. Accommodating such behavior is much easier when user comes in from the browser-based interface first.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael

Yes I did; and when I edit the post I can see that the site has tried to get tricky, but wont allow me to make changes to my post now... For the purpose of clarity..

Windows RT Policy

  • Web Interface Address = https://[internal storefront]/Citrix/UnisonWeb

Ipad Policy

  • Web Interface Address = https://[internal storefront]/Citrix/Unison/PNAgent/config.xml

The downside to the approach of launching the application from a web interface is:

  • Not as touch friendly as the Citrix Receiver Application
  • Not seamless - as you get prompted for what to do with the .ica file
  • A change for users - ie going from the seamless experience, to something that requires more steps

With the earlier versions of Citrix Receiver for Windows 8 we required to have a storefront server, I don't believe this is the case any more... but I believe it is the storefront that does complete the SMS authentication...

So in a totally ideal world - we wouldn't have Citrix at all :) but for application/desktop publishing it is here to stay. Therefore, the next best thing for me would be to be able to get rid of the Citrix Storefront and Citrix Netscaller devices; and replace the with the F5, utilising the built in OTP features (as this is another product I can also get rid of).

Thanks David

0
Comments on this Answer
Comment made 09-May-2014 by SamuelB 3
Has anyone made any progress with this? This is still an ongoing issue for me. @Matt - I suspected the same thing, but there doesn't appear to be an easy way to pass the config.xml file to the Receiver, if we even had one to use.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Any progress?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am glad you brought this up so that I can share the good news! It's possible to do now with 11.6.0 HF4!

It will get easier when v12.0 is launched in the summer, but until then you can try this when you upgrade to 11.6.0 HF4:

Create a new Variable Assignment action in front of your Logon Page. On the left hand side, specify this variable name: session.citrix.client_auth_type

And on the right hand side, put in this value: expr {"1"}

This should enable 2-factor prompt.

Also, keep in mind that 11.6.0 HF4 now supports native StoreFront protocol integration - no more legacy mode needed.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is prompting Citrix Receiver for 2FA, but it is failing. Will this work with a radius server / hard token?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am glad that the prompt is working for you! What exactly is failing though? This certainly works - but you need to manipulate things - perform token validation first, then perform primary username/password authentication. Check the main Citrix iApp/Deployment Guide - the token should get set to password1 session variable... I would recommend running through the iApp to setup 2FA with Citrix(use RSA as an example) - then add this session variable assignment and replace RSA Auth with whatever token auth you're doing(via RADIUS, I assume).

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It is prompting me for the passcode when creating the account, then it is asking me to log into my StoreFront and it fails there.

Is it failing because my Passcode is a OTP and by the time I'm authenicating into my storefront the OTP has changed?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Also, thanks for the quick responses!!!!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The above issue is from Windows 7 - Citrix Receiver.

From iPad, it fails when Citrix Receiver is asking for username, password, domain, passcode. I receive: Could not logon. Veryify your credentials and network connectivity.

0
Comments on this Answer
Comment made 05-May-2015 by Michael Koyfman 2088
Are you trying to add brand new account to the Receiver? Like I said, you really need to modify the access policy as well to ensure it handles 2-fa authentication. An example of such policy is created by the latest iApp when you select RSA SecurID 2FA integration. Did you look into that?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes, I just created a new iApp to test with. My web browser is working with 2FA.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Interesting....can you please open a case with support on it to investigate and PM me the case number so that I can follow-up on it? Thanks

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Sent. Thank you, I look forward to hearing from you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, I've followed this post and added the session variable to get the "passcode" form Field presented by Citrix Receiver. However I'm using the builtin OTP and would like a Challenge-respons function as I get when I'm sent to a secondary logon-page before OTP verify while using a normal browser, is this possible?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Currently, Receiver does not support such behavior. It relies on the user having access to the token prior to starting the login attempt

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is possible through a netscaler by the use of radius auth With Challenge respons like here With sms passcode, so where am I missing out? http://www.smspasscode.com/media/1937/netscaler-advanced-guide-for-sms-passcode.pdf

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Interesting point, Henrik - was not aware that mobile Receiver supports this type of iterative communication via Radius. It's a bit different with APM as it does its own built-in OTP - so we'd need to investigate exactly how the communication happens between Netscaler and Receiver to ensure that APM can something similar. I would suggest opening a case with support to have it escalated and investigated further.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Done, case id: C1847563

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The 11.6.0 HF5 functionality does not cover: 1. APM Webtop (StoreFront replacement) deployment 2. SMS/OTP authentication

What 11.6.0 HF5 enables is ability to display logon dialog with two password fields (for token and AD password) for Windows Receiver client (other clients can be manually configured to display two fields).

When Windows Receiver sees two-password dialog it assumes it is talking to StoreFront, hence limitation (1).

The two-password dialog is not suitable for SMS/OTP case as token is not know to the user up front (as it is in classic RSA+AD case). With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation (2).

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, is this feature (With single-password dialog APM does not yet support SMS/OTP workflow for Receivers, hence limitation) available in some newest versions of F5?

I'm currently building F5 configuration for Citrix Storefront and we need sms-auth for it. We have some portals with OTP exist and we would like to use OTP when user uses Citrix Receiver to connect Storefront via F5.

0
Comments on this Answer
Comment made 30-Mar-2016 by henning_mne 3
I've just visited a customer asking the same question. They would like to use OTP/SMS in combination with Citrix Receiver to replace a Netscaler and SMS Passcode setup. I'm not able to trigger a new prompt asking for passcode/token only from the APM. I would really appreciate an update regarding such a feature.
0
Comment made 16-Dec-2016 by J Hord 0

Any updated on this. I too have a customer wanting this integration. It acutally works in the sense that the RADIUS triggers and goes through it's Auth routine. However it appears to be impacting the credentials delivered to StoreFront and it's breaking authentication.

0
Comment made 05-Jan-2017 by André Vieira 0

we also have the same setup. Token OTP + AD Authentication. I've managed to login editing the default access poilicy as Michael Koyfman said before the Logon Page (Variable Assign - session.citrix.client_auth_type = expr {"1"}) and instead of doing AD check + Token Check, I've done first the Token check and then AD. Now I'm able to login in the Citrix Receiver. But now I've the problem that I can see no applications and the message "Connection to the server no possible". Does anyone have an Idea?

I've put a print, if someone needs a small guide or want to see how it looks like.

Image Text

0
Comment made 16-Mar-2017 by The-messenger 359

Any update on this? I am also interested in this and as well, using a Radius server.

I've implemented DUO security for 2 factor on the web side, works very well and DUO uses a Radius server. I need to implement 2 factor for the receiver as well.

0
Comment made 16-Mar-2017 by J Hord 0

It works with the HTML based interactions with Citrix. Does not work with ICA Native traffic. It's a known issue and there's a RFE for it but no confirmed release date.

0