Jump to content
Welcome to our new Citrix community!

How to hide passcode field on Citrix Receiver when connecting to Netscaler Gateway


Recommended Posts

Hello Team,

 

In our Infrastructure we have 2 factor authentication setup for external users where  LDAP is primary and MFA (Radius) is configured as secondary method. External uses login to first page with their AD credentials and when verified move to next page where they are prompted to enter MFA code (Sent to them in the form of text/SMS). In existing configuration for page 1, we have only two fields (Username and password) showing up and 3rd field is hidden using a rewrite policy/Action.  This is working perfectly fine from browsers perspective. Now we have to apply same solution for users who want to connect to Gateway using Receiver/Workspace app but the issue is during authentication they are seeing 3 fields on first prompt (Username, Password and passcode). We would like to hide this passcode field here too so that they can move to next page for MFA authentication. Any suggestions or advise would be highly appreciated. We are running Netscaler 12.1 with Storefront 18.11. 

Prompt on Receiver.PNG

Link to comment
Share on other sites

Hi Jim, Thanks for reply. I just checked this article but my query is if i go with fix 2, Do i need to create a new rewrite action/policy or can amend to the existing one. We just have information about action there but details about its implementation is missing.

 

Also is there any implications of updating index.html file highlighted in fix 3 like reboots or connection drop. Actually it's our prod setup so i am bit hesitant.

Link to comment
Share on other sites

I am still researching this - really, trying to locate an example in an environment where I have access that closely resembles your specific scenario.

 

Could you provide your policy binding information for this (Primary and Secondary, priorities, and policies bound)?

 

Since this is something that seems fairly common, I was hoping someone else might have chimed in with how they are able to achieve this behavior.

 

Most of the sites I regularly work in or have access to all utilize MFA similar to DUO where once the first factor (LDAP) succeeds, users are either redirected to the DUO MFA screen where they choose their next factor method or are just automatically sent a push notification that needs to be acknowledged in order to proceed.

 

In some of those sites I noticed the same behavior you are asking about and it appears that they just don't advertise the option of using Receiver/Workspace externally to initiate connectivity into their environment from The Internet (making the problem not really a problem that needs addressed).

Link to comment
Share on other sites

Hi Jim,

 

Thanks for your advice. I won't be able to share policy information due to security constraints but i agree with you that configuring Apps via Receiver for external user is not commonly accepted term. Not sure if this is not as per best practice from Citrix but if it can bring any challenges to users (Browser or Apps based) then i have to highlight to our client. Do you have any view on it?

Link to comment
Share on other sites

After having a conversation with a colleague (and rereading the Citrix Support article I originally posted), I believe (and apparently didn't understand) that this behavior you are looking to achieve isn't supported/possible with Receiver through NetScaler Gateway.

 

Quote

Solution

This is a limitation, and you have to use RADIUS server and have authentication on RADIUS be done using Active Directory (LDAP).

 

That would explain why I have never encountered having Receiver connect through a NetScaler Gateway with MFA in the mix in the manner that you are seeking.

 

20 hours ago, Jim Grimm1709160134 said:

Most of the sites I regularly work in or have access to all utilize MFA similar to DUO where once the first factor (LDAP) succeeds, users are either redirected to the DUO MFA screen where they choose their next factor method or are just automatically sent a push notification that needs to be acknowledged in order to proceed.

 

In some of those sites I noticed the same behavior you are asking about and it appears that they just don't advertise the option of using Receiver/Workspace externally to initiate connectivity into their environment from The Internet (making the problem not really a problem that needs addressed).

 

Link to comment
Share on other sites

I believe that limitation is true for Workspace as well as Receiver.

 

The original article I posted is: https://support.citrix.com/article/CTX203775 - Dual Password Field wrongly shows in First Authentication Prompt when connecting to NetScaler Gateway using Receiver

 

The article doesn't explicitly name Workspace as being affected by this limitation, but since it is technically Citrix Receiver on the inside it would still be applicable.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...