Jump to content
Welcome to our new Citrix community!

SMART card authentication with Netscaler and SF - Need to avoid 2nd PIN prompt at application launch

Smrutimaya Mohanty

Recommended Posts

I have NS - and SF 3.12

NS setup -

1. vserver-sc -

2. vserver-callback

3. vserver-ICAonly

  • NO authentication, STAs are added, certificate added and no other configuration done.


SF setup - 

Netscaler gateway URL - https://lab-sc.abc.com

Usage Role - Auth and HDX routing

STA - As configured on the vserver-sc gateway.

Auth Settings - 

  • vserver IP - Didn't configure
  • Logon Type - Smart card
  • call back - https://lab-callback.abc.com


With this setup application launch works as expected, but users are getting 2 PIN Prompts. One at the Netscaler logon and 2nd - before the app launch.

I want to avoid the 2nd pin prompt. I can't figure out how to use the vserver-ICAonly in the SF configuration.

What are the steps I need to take. Gone through multiple documents and citrix blogs but none of them were clear on the SF steps.


There are instructions to use same IP with different port number other than 443 for the ICAOnly vserver. Can we continue to use 443 and with a different IP? If yes how?

Any advice and assistance are most welcome.





Link to comment
Share on other sites

  • 4 months later...

I believe we're having a similar problem with Smart Card authentication in our environment.

Did you find a resolution?


We a similar setup and have seen where people set up your third line item but we don't have "3. vserver-ICAonly".

The extra pin prompt just started in Q4 of 2019 on Windows endpoints and Apple endpoints get an odd error that Citrix support has not had any luck in helping us resolve.


Link to comment
Share on other sites

As long as we have set CERT auth as mandatory, the user's would get additional pin prompt. that's why I had to create the ICAOnly vServer, I could use the vserver-ICAOnly with port 443, and on the SF use the vserver-ICAonly CAG's URL instead of the Actual CAG url.


There is another option if nFactor is used, through nFactor, you can offload the authentication to the AAA vServer. In nFactor, you can just force users to have cert authentication based on policy expressions. No need of setting cert auth as mandatory on the CAG.

Link to comment
Share on other sites

Hi, did you see the following? (Lower section)



on the vserver-sc

 - disable mandatory SSL auth

 - add a CERT auth policy instead

 - allow SSL renegotiation (even though I would prefer the NONSECURE setting instead of NO as described in the article)


...that way the smart-card is only validated during authentication, not with every SSL handshake (i.e. ICA Session start, which causes the second prompt)




Another way is the described attempt of using a separate vserver-ICAonly.

You have to set this one up in Storefront as additional gateway and force sessions through it through "Optimal HDX Routing" (under Store-settings).

Link to comment
Share on other sites

https://support.citrix.com/article/CTX138304  - have a look at it, if we are using cert auth. Please refer to the table on the bottom of the document. I have highlighted it on the attached screenshot.

So it says that -  If CERT Auth is optional, handshake would be successful even if you have a revoked certificate or a missing CRL.

and I don't know if this behavior matrix would be applicable if we disable the cert auth completely, instead of setting it optional.



Cert Auth Matrix.jpg

Link to comment
Share on other sites

We eliminated the extra cert/pin WFICA32 prompt today by configuring optimal NetScaler Gateway routing for a store.  This ended up being a rabbit hole we went down and it resolved it. Our STA URLs were no longer set. We don't know why or when our STA URLs disappeared, it may have been when we updated Storefront last. Users never reported the problem, our team only noticed it over the holidays because we got to work remotely for a few days and the ticket we opened hasn't been resolved.


Log into your StoreFront and open a powershell prompt.

type: &”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″



When it asks for SiteID, it's the IISSiteID,  IISSiteID is probably 1 

ResourcesVirtualPath is   /Citrix/YourStoreFrontName


If you return no StaURLs, you might be having the same problem we were.



Source:   https://www.smali.net/configure-optimal-netscaler-gateway-routing-for-a-store-storefront-3-x/


Change your PowerShell Execution policy to unrestricted

Set-ExecutionPolicy unrestricted


Cut and paste the text below into a powershell script and run it on your Storefront. Change the variables to match your environment. The STA Servers were our Delivery Controllers and we used their names, not IP addresses. Gateway name was "ICAProxyGateway". GatewayHostname was the address to our CallBack Server (callbackname.domain:443) and VirtualPath was /Citrix/StoreFrontName


&”C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1″

$STAUrls = “http://ip-to-sta-server-01/scripts/ctxsta.dll“,”http://ip-to-sta-server-02/scripts/ctxsta.dll“

$GatewayName = “Gateway name”
$GatewayHostNames =  “FQDN of Gateway name”
$IISSiteID = 1
$VirtualPath = “/Citrix/Store”

[string[]] $FarmNames = @()
$FarmSet = Get-DSFarmSets -IISSiteId $IISSiteID -VirtualPath $VirtualPath
foreach($farm in $FarmSet.Farms) { $FarmNames += $farm.FarmName }


Set-DSOptimalGatewayForFarms -SiteId $IISSiteID -ResourcesVirtualPath $VirtualPath -GatewayName $GatewayName -Hostnames $GatewayHostNames -StaUrls $STAUrls  -StasUseLoadBalancing:$false -StasBypassDuration 00.02:00:00 -EnableSessionReliability:$true -UseTwoTickets:$true -EnabledOnDirectAccess:$true -Farms $FarmNames





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...