Jump to content
Welcome to our new Citrix community!

Multi Factor authentication for Citrix not working

Recommended Posts



We have two citrix environments. 

I have tried to install duo (2FA) on both environments

It is working on one. 

On second environment, it is not working.


I have followed this document to configure Radius policy as Primary type on both citrix environments. 

https://duo.com/docs/citrix-netscaler#:~:text=To add Duo two-factor,client logins with an automatic


I have followed above document to configure exact same settings on both environments. 


First citrix environment has netscaler -CitrixADC VPX (40000). I applied Radius Polices and 2FA is working.

As a user, if I go to URL and enter user name and password, it takes me to 2FA page. (screenshot - citrix-gateway-auth-prompt_2x). It works fine. No issues. 


For Second Citrix environment

We have netscalerCitrixADC VPX (40000) [Actually two netscalers, primary and secondary]. Exact same radius policies are applied as first environment. 
But after going to our citrix URL and entering user name and password, it jumps to next page where it asks for another password. That's wrong.

It is supposed to give option for 2FA after entering user name and password.  (screenshot - citrix-gateway-auth-prompt_2x)


I am guessing, there may be a setting in both environment's netscaler which is  different. 


Can someone please suggest something which can help in troubleshoot this.






Link to comment
Share on other sites

Are the two sets of ADC's on the same firmware or different versions?  If different which versions, as it may be firmware related.


For the backend DUO environment is the authentication dependent on the source ip of the traffic which would vary from instance A and pair B, so the on adc config is right but the due doesn't like your second instance making requests?


To compare the config:

You can compare your running config (or saved configs) of both systems.

Easy way save the config of one as a.ns.conf and the config of the other as b.ns.conf and copy to the same appliance and use the diff a.ns.conf b.ns.conf to see differences.

Or import the files (or a subset of the files) into a utility where you can do line by line comparisons to see if there are any unexpected discrepancies.


Just normal troubleshooting:

1) On your second system, is this a Gateway authentication handing off to StoreFront? (or other)?

1a) So for the second authenticaiton prompt are you still on gateway OR on the storefront?  You can tell by looking in the "path" portion of hte URL as you will still see the gateway fqdn: https://<gateway fqdn>/.

Paths such as /vpn/index.htm, /vpn/tmindex.htm, etc... are indications you are still on the Gateway and if it is prompting you twice we need to look at the policies on the gateway for issues with duplicate poliies or nfactor (maybe something on both the aaa vserver AND the vpn vserver)

If the path is /Citrix/<Storefront Store Name> then the gateway completed its authentication AND handed off to storefront and now storefront is asking for authentication.  See Item 2.

2) If storefront is the problem for the dual authenticaiton prompt there are two potential problems (and you may be seeing both at same time)

2a) The gateway on the second pair doesn't have the session profile set to pass credentials through to storefront (client experience: pass credentials through to web needs to be ON)

2b) The storefront store is the same or different store that you use with the other gateway deployment?

2c) The storefront may not be configured to recognized either the hand off of authentication or it doesn't recognize gateway 2 (but it does recognize gateway 1)  (depends on if one or separate stores).

For StoreFront, it is has to a) know about the gateway 2 (in addition to gateway 1 if both on same storefront), b) optimal gateway routing config may be required, c) accepting passthrough credentials from gateway has to be enabled, and you should see events on storefront with more info, d) telling storefront to validate the right credentials such as domain only or domain + raidus, but this could be resulting in the second prompt...


This may give you a few things to narrow down the problem so that more concrete recommendations can be made.


Check gateway syslog for additional events between gateway and storefront: 

cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED

Check gateway aaad.debug for authentication issues:

cd /tmp

cat aaad.debug

# this one is not a file; you have to view it while generating the authentication events to see output.


Check storefront server (s) event vwr for issues related to gateway if traffic is getting that far.





Link to comment
Share on other sites

1 hour ago, Sam Jacobs said:

What theme are you using for the gateway server?

I have seen the behavior you are seeing when using Duo with the RfWebUI theme.

If that's the theme that you are using, try changing to the X1 theme.

You may also need to change the Duo proxy config file.


I think you have solved my issue.

I have X1 theme of first environment and it is working. I changed it to RfWebUI theme to test and the now I have same problem as second environment.


Our second environment have RfWebUI theme. It is a production environment and I will need to go through CAB to change the theme and apply radius policies again and then I will be able to confirm it.


Thanks alot

Link to comment
Share on other sites

  • 1 year later...

Sorry for digging up an old post, but I have a feeling this is going to become relevant again. I just updated to the newest 13.0 version, and the Default, X1, and Greenbubble themes are now "deprecated". As a result, no themes display the "Duo Universal Prompt" as we once had, instead just giving you a second option to enter a password. Entering the 6-digit Duo code here works just fine, it's just different than users are used to.


Also, doing the whole "password,push" or any other type of auth doesn't seem to work, so for now we are stuck with the codes it seems. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...