Jump to content
Welcome to our new Citrix community!

Certificate based client auth

Recommended Posts



I am trying to configure cert based client auth on the ADC. We have a setup with SSL intercept where the Netscalar hosts the certificate and terminates SSL. Then the back end of the connection is also encrypted at the service group level. So far I have not had much success in getting this to work and most documentation is ambiguous on this topic. Has anyone had success with this kind of configuration and could kindly share the steps required to get this working?


Thanks in Advance

Link to comment
Share on other sites

Hi Amehta,

Did you get an answer to this query?

I am facing the same issue, where customer is requesting us to use client based certificate authentication for a gateway and pass this authetication along to Storefront and eventually to the VDI/VDAs. 

We were able to find good documentation online but, incomplete as you well pointed.

We have managed to get the gateway to authenticate users based on their certificate installed on their computers, however, we cannot launch applications or VDIs out of the Storefront Store.

Documentation that was followed was: https://www.citrix.com/blogs/2014/02/06/cacpivsipr-token-with-netscaler-gateway-and-storefront/ as well as couple of articles found at Citrix.com

None of them are comprehensive enough to direct us towards making adjustments to things like: making authentication adjustments to the VDAs themselves. Is there a need to install Smartcard drivers onto the VDAs in order to make it work properly?

Has anyone managed to deploy and use this technology yet?




Link to comment
Share on other sites

If you are doing client cert based authentication via the gateway (vpn vserver) or authentication vserver, then

1) Bind SSL cert for the vserver FQDN's server cert (this is the cert of the vserver that the client directs traffic to)

2) Bind the SSL Root cert for the issuer of the  client cert as a root cert on the vserver, so it can trust the issuer of the client cert

3) Under SSL Parameters (or using an SSL Profile), turn on client certificate authentication as either OPTIONAL or MANDATORY depending on need (whether cert is always presented or not)

4) Then create a client_cert authentication policy and bind to the vpn vserver or authentication vserver.  If Two-FActor Authentication is on, then you will need an LDAP policy to handle the corresponding username/password prompt in addition to the cert. If Two Factor is OFF in the client_cert profile, then the cert alone is needed.


If this is for LB traffic, usually authentication is done by integrating the LB vserver with an authentication vserver or by placing the lb vserver BEHIND the vpn vserver. Letting authentication vserver or vpn vserver do the authentication and authorization control.


https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/authentication-virtual-server.html (info on authentication vservers)

https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-client-cert-authentication.html (with gateway vservers)



Link to comment
Share on other sites

Tteodor, No I have not been successful so far.




We have done the steps as you outlined above:

1) done

2) done, does this also require the intermediary cert to be installed in addition to the root cert?

3) done

4) done


Not luck so far

add vpn vserver vs-certpassthru SSL 443

set ssl vserver vs-certpassthru -clientAuth ENABLED -clientCert optional

bind lb vserver vs-certpassthru -policy local
bind lb vserver vs-certpassthru -policy cert
bind ssl vserver vs-certpassthru -certkeyName mycertKey
bind ssl vserver vs-certpassthru -certkeyName mycertKey -CA -ocspCheck Optional

add ssl action act-certpassthru -clientCert ENABLED -certHeader CLIENT-CERT
add ssl policy pol-certpassthru -rule true -action act-certpassthru

bind ssl vserver vs-certpassthru -policyName pol-certpassthru -priority 10



Link to comment
Share on other sites

First, what is and isn't working during the authentication?  Details will help understand the underlying problem.

Here are some of the considerations:

Are you configuring client cert authentication for a gateway vpn in full vpn or ica proxy config?  

Do you need the gateway to do the authentication ONLY or pass the authentication through to the LB vserver

If gateway and lb vserver, does gateway process the client cert but lb fail or does authe fail at gateway?

Or do you want it on the lb vserver alone without gateway or AAA?

Is your client cert, based on a client cert presentation only or on client cert + ldap password?


Now for a few comments based on your post:


2 hours ago, Anukool mehta said:

2) done, does this also require the intermediary cert to be installed in addition to the root cert?


Break this down into two parts:  1) cert requirements for the server cert issued to the vserver (in this case vpn and/or lb vserver for SSL) and then 2) cert requirements for the client cert.


For the server cert issued to the vpn vserver and/or the lb vserver:

  • You must have a cert issued by a trusted CA to the gateway FQDN (or appropriate wildcard). This cert should be bound as a "server" cert to the vpn vserver.  (whether Domain/internal CA or public CA depends on your needs..)
  • Similarly if you are connecting to the lb vserver over SSL as well, then it may also need a server cert issued to the lb vserver's FQDN
  • Clients will need to have the an apprpriate Root Cert (or other) installed to trust the server cert in use.
  • If you need to demonstrate a proper certificate chain such as server cert (1) issued by intermediate CA (2) issued by intermedia CA (3) issued by root (4) etc.. and the client has the appropriate ROOT cert installed (numbers just to clarify references in example). Then you would want to import the intermediate CA1 and intermediate CA2 (as an example) and link server cert to Intermediate CA (2) ; intermediate CA (2) would link to intermediate CA (3) etc..if you need the cert chain.


For the client cert:

  • Client Cert is installed on client device and issued by a specific Root CA (such as Domain or other)
  • You must also bind a cert as a Root Cert to the vpn vserver as a CA Cert (and potentially, lb vserver) to allow the Gateway/lb vserver to trust the issuer of the client cert in use.


The client cert policy has to be bound to the vpn vserver to do authentication. If using advanced policy engine, you'll have to use gateway + aaa vserver. (then there are additional settings too.)

If the client cert is configured with Two Factor ON then you also need to indicate proper format for userprincipalname or other and an ldap policy to do password validation too.

The LDAP policy (if needed) would have additional requirements. 


The LB level may be tricky.  Gateway session policy would then need to be enabled to pass credentials through to WEB enabled to allow gateway to be used at LB vserver. Depending on config it might need an actual traffic policy for sson.


It would be good to get the gateway to do cert authentication working first.


If doing lb vserver without gateway, then the SSL parameters above are needed but an SSL action and SSL policy. This article (while old gui) is the main steps:


CLI is included so you could build and then edit. Its not a straight mapping, should get you close.


But in some cases configuring a vpn vserver to do client cert might be easier to troubleshoot if its working or not before moving to an lb only config.










Link to comment
Share on other sites

7 hours ago, Tiago Teodoro said:

I am facing the same issue, where customer is requesting us to use client based certificate authentication for a gateway and pass this authetication along to Storefront and eventually to the VDI/VDAs. 



Your scenario is different than the other one and you might get more responses in its own thread.  And you might need to cross post to both gateway AND/OR the CVAD forums in some cases. Additional info on specific authentication scenario and product may help.


SmartCard or ClientCert for gateway (in ica proxy mode) follows some of the notes I made in the previous response.


But The question is do you want the gateway to do a client cert/smartcard authentication followed by a ldap password prompt but have storefront and the vdi depend on the gateway for smartcard processing and they rely on ldap only.

Or are you in fact passing smartcard through gateway / storefront / and vdi?  If this, then you have to do a gateway smartcard config AND the XD/CVAD smart card config.  Details will vary by vendor in some cases.

XD 7.15:  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/smart-cards.html

CVAD Current:  https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/smart-cards/smart-cards-pass-through-sso.html




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...