Jump to content
Welcome to our new Citrix community!

Citrix N-factor Authentication (2FA, OTP) via Citrix Workspace app?

Recommended Posts

Hi, can someone point me in the right direction of how to get the Citrix Workspace app to prompt for OTP codes every single time a user logs on to the Citrix Workspace App internally?


I have Citrix ADC Netscaler 13.0 (build 52.24nc) with Storefront environment. 


Citrix N-Factor authentication is setup using OTP and working fine, so when a user goes to the Citrix site URL through the Web or via the Citrix Workspace app (internal & external), it displays the below 3 fields




Once the user enters their credentials they can logon and see and load their application fine but specifically when going through the Citrix Workspace App Internally all subsequent logins just do single factor authentication and don't prompt for the OTP code, the users just see the below fields




I would like the Citrix Workspace App when being accessed internally to prompt for OTP codes every time the user launches the Citrix Workspace App not just the username/password, how could I achieve this?



any help is greatly appreciated


Stay Safe!


Link to comment
Share on other sites

  • 4 weeks later...

Notes on Citrix ADC Configuration Objects for OTP

Here are some notes on the Citrix ADC OTP configuration objects. Detailed instructions are provided later.

Make sure NTP is configured on the Citrix ADC. Accurate time is required.

AAA vServer – nFactor requires a AAA vServer, which can be non-addressable. You don’t need any additional public IP for OTP.

An Authentication Profile links the AAA vServer to the Citrix Gateway vServer.

Citrix Cloud – For Push notifications, create a Citrix Cloud account. No Citrix Cloud licensing needed. Citrix ADC uses Cloud API credentials to authenticate with Citrix Cloud.

NSC_TASS cookie – To access the manageotp web page, users add /manageotp to the end of the Gateway URL. Citrix ADC puts this URL path into a cookie called NSC_TASS. You can use this cookie and its value in policy expressions for determining which Login Schema is shown to the user.

Login Schema for manageotp – The built-in Login Schema file named SingleAuthManageOTP.xml has hidden fields that enable the manageotp web page. If the Login Schema Policy expression permits the SingleAuthManageOTP.xml Login Schema to be shown to the user, then after authentication the user will be taken to the manageotp web page.

LDAP authentication is expected to be bound to the same factor as this SingleAuthManageOTP login schema.

The next factor is a LDAP Policy/Server with authentication disabled (unchecked) but with arguments specifying the Active Directory attribute for the OTP Secret and Push Service configuration.

Login Schema for OTP authentication – The built-in Login Schema file named DualAuthPushOrOTP.xml performs the two-factor authentication utilizing the push service. There’s a checkbox that lets users choose Passcode instead of Push. This login schema has a Credential called otppush.

If you prefer to not use Push, then you can use a normal DualAuth.xml Login Schema file since for passcode authentication there are no special Login Schema requirements other than collecting two password fields.

Both methods expect an authenticating LDAP Policy/Server to be bound to the same Factor as the Login Schema.

The next factor should be a non-authenticating LDAP Policy/Server that optionally has the the Push Service defined and must have the OTP Secret attribute defined.

Single Sign-on to StoreFront – The OTP dual authentication Login Schema essentially collects two passwords (AD password plus push, or AD password plus passcode). Later, Citrix Gateway needs to use the AD password to perform Single Sign-on to StoreFront. To ensure the AD password is used instead of the OTP passcode, configure the OTP dual authentication Login Schema to store the AD password in a AAA attribute and then use a Citrix Gateway Traffic Policy/Profile to utilize the AAA attribute during Single Sign-on to StoreFront.

nFactor Visualizer – Citrix ADC 13 has a nFactor Visualizer to simplify the OTP configuration. Or you can manually create the LDAP Policies/Actions, the Login Schema Policies/Profiles, the PolicyLabels, and then bind them to a AAA vServer.


Citrix Virtual Apps and Desktops enterprise skill development program https://www.netcomlearning.com/products/56/citrix-virtual-apps.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...