Jump to content
Welcome to our new Citrix community!

Netscaler Gateway VPX + Azure MFA NPS Extension + OTP from MS Authenticator App

Recommended Posts

Hi all,


We currently use Receiver for Web for all logins to the XenApp farm - internally and externally - mainly as this provides an easily supported method for company and personal devices. In addition, it allows for Netscaler 2FA for external access and Storefront with no 2FA for internal.  We don't configure Self Service for the Receiver app, or shortcuts. 


We currently authenticate using RSA 2FA using software token based OTP's via Netscaler Gateway VPX's. This works well. The user enters their username, password and passcode (third field) to authenticate. 


We've configured a test environment using Azure MFA and the NPS Extension. This works well for Phone or MS Authenticator app based push notifications. They enter their username and password, and a push notification via the Authenticator App or phone call is generated for 2FA.


What we'd like to do is use the Authenticator OTP code, rather than push or phone call based notifications. We initially thought this would be possible. The user enters their username, password and Authenticator OTP in the passcode field, this is set to the Radius server (NPS Server) and the code is validated. Unfortunately this doesn't work and there isn't too much info out there which absolutely confirms whether it is possible. 


As I understand it, this is possible using NFactor with Netscaler, but we're talking Enterprise licensing for nFactor, which cost wise isn't an option. 


I'm trying to get some sort of confirmation that our understanding is correct - using Netscaler Gateway VPX (no nFactor) and the NPS Extension with Azure MFA - is it only possible to use Phone or push notifications?


The main reason we want to use the Authenticator OTP is it requires the device to be unlocked. Push or phone call notifications can be used without unlocking the device. Microsoft have confirmed this is by design, in that the 2FA is the device itself, not an unlocked device - but we still think this is insufficient - ultimately they could make it configurable that the device is unlocked - but they choose not too. 


In addition, using the OTP Authenticator App provides a similar experience to RSA. 




Link to comment
Share on other sites

  • 1 month later...



What we found was that the OTP option via the MS Authenticator App does work - but it needs to be set as the default option for the user authenticating. Once set, when the user logs on, they enter their username and password, then click Log On - this takes the user to a second screen which requests they enter their Microsoft Authenticator OTP code. The NS will respond according to what verification option the user has selected. 


As a side note, when you do setup the secondary Radius authentication method within the vServer you do need a rewrite policy to remove the "passcode" field on the main login page.


Also, if you want to enforce the OTP authenticator code method for users when logging on then you need to disable ALL "verification options" except the Authenticator token. If you allow Push or Phone call based notifications and during MFA registration the user selects this as their default option, then the Netscaler will respond accordingly, waiting for push notification acceptance or phone call approval.


Relatively disappointed with Azure MFA - it's not quite Enterprise ready. With MFA Server now depreciated there is a gap between what MFA Server offered and what Azure MFA offers. So a backward step I suspect before step forward. 


One missing option is that there is no method via Azure MFA when using the NPS Extension which allows you to allow one-time login exclusions for say users who have lost their phone. Of course you could use nFactor and configure it so that a user temporarily placed in a specific group would not be required to provide a secondary authentication method - but then we're talking Enterprise licensing.


There's a bit to go before Azure MFA ticks all the boxes - but I suspect for many it's a step up - so comparatively speaking it enhances their login security versus those who have been doing this for some time. 




Link to comment
Share on other sites

  • 9 months later...

Hi iainnz! how are you?


Could you please share with me, what´s type authentications did you set up on you netscaler to get this work 

with NPS Azure extension (onPrem MFA)? We already have NPS server installed and working. 

Actualy, we have Symantec VIP act as RADIUS server (onPrem), deliverying Apps to external users. We have 4 policies (LDAP + Radius). 2 Non-Mobile and 2 Mobile

Now, we want move to Azure.


I´ve trying with no success to make all this things work. 


If you could help us, will be great. Thanks




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...