Jump to content
Welcome to our new Citrix community!

Filter Client-Cert Authentication based on Expressions (Clientplugins)

Recommended Posts



according to the latest workspace app feature matrix, User-Cert-Auth is only supported via browser:



Is there a way to filter user-cert-auth based on which client is trying to connect to my gateway? Examples:


- Browserway -> Check and search for compatible usercert, prefill username and present only Password

- Workspace App Windows / iOS -> Don't check for usercert and fallback to the MFA (Password and Token) nfactor way

- Gateway Plugin Windows / iOS -> Don't check for usercert and fallback to the MFA (Password and Token) nfactor way


As soon as I enable user-cert-auth and setting Client Authentication to "Optional" on my nfactor aaa and gatway vserver, I got problems connecting with all methods except the browser-way as there is always a certcheck which breaks the complete nfactor flow, in detail it breaks adding new accounts in workspace app and gateway plugin as these clients / apps forcing the clientcert-way which is absolutely incorrect. 

I tried to filter the usercert auth policy expressions like this:


but it looks like it's not hitting, correctly. I think the main problem is the way how netscaler is checking the "Optional" clientcert way:



Any ideas? Possible way to use listen policy on my gateway?


Thanks for your help

Best Regards




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...