Jump to content
Welcome to our new Citrix community!

Two Factor Authentication issue with Citrix Receiver App

Recommended Posts



We have set up two factor authentication, Radius using SecurEnvoy (Primary) and LDAP (Secondary).


Login in through the web provides a Username, password 1 and Password 2 for the token and this is fine and the passcode token is accepted fine.


However we would like to use the Receiver App, We enrol the user, it pops up asking for Username, password and passcode. Put these in and everything works great.

However you fully log the user off and back on again, it only asks for the username and password. It does not ask for the Radius passcode. Putting in the username and password for LDAP allows the user to log on.


I am completely baffled, I know the policy initially works as it asks for the code to enrol and Secure Envoy sees this in the logs and allows the user to log on.


The Receiver app just doesn't seem to invoke it any further.


Any ideas?

Link to comment
Share on other sites

  • 8 months later...
  • 2 months later...

We've got the same issue on NS11, but the reverse of what the OP is experiencing. We've configured all policies as per: http://support.citrix.com/article/CTX125364, with the addition of a rewrite policy to hide the second password field (https://discussions.citrix.com/topic/369016-netscaler-11-two-factor-authentication/)


When we setup the receiver on an iPhone it logs into the receiver and prompts for the SMS token, so the 1st logon works fine. However, as soon as the user is logged off, the second logon fails. At the second logon the user is prompted for a password and token at the same time, even with the rewrite policy in place. We can also see hits on the rewrite policy but the second password field is still displayed.

Link to comment
Share on other sites

  • 5 weeks later...

We have quite the same problem in our PoC environment with NS 11.1 Build 49.16 nc and XenDesktop 7.11


The login via browser works without a problem, also when I use Citrix Receiver directly and setup the connection for the first time it works as it supposed to do. Means I got the login prompt with username, password (AD) and passcode (RSA pin) and it connects successfully. But when I log off and I try to relogin, I got a different login prompt (namings arent the same like the first time) and the login are reversed. Means now the password 1 has to be the RSA pin and password 2 is the AD-password. But the login works acutally, when I enter the credentials the right way.


I used the article, which are mentioned earlier in this thread -> http://support.citrix.com/article/CTX125364


It gets stranger when I try to login via Receiver on my Android phone. Adding the address of the netscaler server worked without a problem. When I try to login now, a pop-up comes up with the request for my password and below is my AD-account. But the password isnt the AD-password, it wants the RSA-pin. If I enter the RSA pin and the sms token, the cycle spins and I got an error message "could not log in, try again". If I try again, the app doesnt ask for the RSA pin, it directly asks for the SMS token :S 


Is that the normal behaviour of the Android Receiver app?


I also checked the saved account and there is written "savings disabled" where the password should be.


Thanks for any help

Link to comment
Share on other sites

  • 3 months later...
  • 3 years later...

I have something similar issue - in Storefront > GATEWAY > authetication is set to domain+security tokens. It works fine in 1st logon and asks for ldap+rsa token but once i disconnect the desktop and launch desktop again from receiver it doesn't ask for any authentication. any suggestion if anything to so at NS OR SF? once external site is configure account name is showing store name configured on storefront server,

Link to comment
Share on other sites

  • 1 year later...

I know this is an old thread but I have the exact same problem as @Malyaj. @Malyaj Could you solve the problem? @Carl do you have any advice on how I can solve the problem? Thanks in advance


something that I forgot.in the webinterface everything works fine. Only in the WorkspaceApp, the request for username/password comes without token. I have done everything according to the instructions from Carl.(https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/)

Link to comment
Share on other sites

  • 2 months later...

We get exactly the same issue here with the Windows Workspace app, while running a POC.


Initial connection to the NetScaler Virtual Server address results in Username, Password and Password2 boxes (with the AD password required in the second box). Setup works fine and logs in with the MFA code. It correctly fails if code is wrong or approval denied.


Any subsequent logins using that setup only ever prompt with Username and Password and log straight in. Even after completely closing the app and/or rebooting the machine.


Oddly, on an iOS device using the Workspace app, it works as expected, requesting the MFA code each time. Again, AD password in the second box and MFA code in the first.


Web works perfectly every time and all the policy bindings and Credential index for the Receiver/Workspace session policies have all been completed as per Carl's article, including enabling 'Domain and token' on our StoreFronts' Gateway setup.



Link to comment
Share on other sites

So, I've found the issue after a bit of rummaging around.


With our test environment we have one regular Virtual Server for regular username/password access. We now have the additional Virtual Server for username/password/token. So:


They both point to the same StoreFront/Store.


This got me thinking. We obviously had to populate a new NetScaler Gateway in the list on our StoreFront/Store so that it would authorise the new external inbound connections as well as the existing ones. To save any potential risk to existing test users who were not part of the MFA pilot, we set the old/original NetScaler as the 'default' NetScaler on the StoreFront setup.


Next, I went into the Workspace advanced settings and hey presto, saw that the standard option is to connect via the 'Default' gateway, which in our case was the non-MFA gateway. This explains why when initially setting up connection via the MFA gateway address it worked perfectly for the first attempt. Any further login attempts only required username/password because the Workspace app is reverting back to the 'default' Gateway, which in our case is the non-MFA gateway. Manually setting the gateway in Workspace to the MFA version see it work perfectly every time.


When we go live this won't be an issue as we'll revert back to a single gateway but it will make our pilot a bit trickier.


One way to work round this would be to setup a completely new Store on the existing StoreFronts (or even new StoreFront groups, if you're that way inclined) and have your new Virtual Server point to this new store and only have the one gateway configured, then leave your original one alone. It's a lot more effort and documentation to complete though, so we're going to muddle through.


Hope this helps someone!


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...