Jump to content
Welcome to our new Citrix community!
  • 0

How can I MFA the Citrix.com account which contain critical information?

Eddie Santana


3 answers to this question

Recommended Posts

  • 0
On 11/26/2019 at 5:16 PM, Eddie Santana said:

How can I MFA my Citrix Account -  https://www.citrix.com/account ?


This has critical information not to mention it can be used to access Citrix Cloud infrastructure so it needs to be secured. 



Setup is very simple, let’s dive into it:
1. When you log into your Citrix Cloud console now, you will see a notification about the Active Directory + Token option like this:
2. When you go to Identity and Access Management, you will see it as an available option to turn on
3. Click on the ellipsis (3 dots) next to Not Configured and click Connect:
4. If you already have Cloud Connectors installed, the Connect to Active Directory portion will have a green check mark like this already. You will notice that in the second step it says “Single Device Enabled – Workspace subscribers may enroll one device”. Just hit Save and Finish.
5. At this point, you will see a green banner saying “Active Directory + Token was successfully enabled” and there will be a green Enabled dot next to the option.
6. Now you need to enable it for use on your Workspace. Go to Workspace Configuration:
7. I have been using Azure Active Directory. You should now see an option called Active Directory + Token here. Go ahead and click on it:
8. Check the disclaimer and hit Confirm:
9. Now you should see it has been selected and is green:
10. It will take about 2-3 minutes for Workspace to re-configure itself. If users attempt to hit Workspace during this authentication change time they will get a message saying “You cannot log on at this time”. For this reason, I suggest making this change at a time when user traffic for new launches is low (like around lunch time).

You may also see a message like this saying “Cannot complete your request” during this waiting period if you keep refreshing, it is in the process of reconfiguring the authentication method so just keep waiting a little bit longer:
11. After those few minutes the new login screen will look like this. There will be a field for them to enter their Password Token as well as a “Don’t have a token?” link for them to onboard themselves. Note, users can also use this link to re-enroll later if they buy a new device and I have tested this capability successfully already using another device:
12. After clicking the onboarding link, I am asked to enter my user name from AD or my company email address so I can get a registration link via email:
Note, the user cannot just enter a random email address here. It must be the one set in Active Directory for that user. Example, if you type in a Gmail account here you will be presented with this message saying “User not found”:
13. The user will get an email like this to “Complete Your Device Registration” as the subject line will say. The verification code is only valid for 24 hours. At this time I have noticed that the email has a default Workspace logo along the top but as this feature goes GA (generally available) I suspect the email will follow your company’s Workspace branding settings. Go ahead and copy the verification code from the email:
15. Go ahead and copy and paste the verification code and enter your password:
16. On the next screen, your users will be asked to scan the QR code shown on the screen with their phone. They can use the Citrix SSO app, Microsoft Authenticator, Google Authenticator, Okta Verify, Authy, etc. here since they all follow the same RFC for TOTP. There is no benefit in using the Citrix SSO app over the others right now. There is no push authentication mechanism capability so there is nothing proprietary with this solution that is locking you into the Citrix SSO app. You can tell your users to use whichever authenticator app your company recommends.

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...