Jump to content
Welcome to our new Citrix community!

Multi cert authentication to SSL VPN

Kerry Lawrence

Recommended Posts

Currently have alwaysOnVPN (with ao_service in policy ) working with device cert , pulling CN off the device and checking device AD before allowing AlwaysOn to connect. Also have (same url) with policy binding of higher number and set to true to challenge for a user /pin (to unlock token) then pulls the UPN off the user cert , check for correct AD group to allow VPN access and all works well. We have the reg keys for always on to do both VPNs (device and user) which we are required to do.


What I am having difficulty doing is doing both cert checks, if a machine is not configured for AlwaysOn , the user can connect with just checking the user cert. If I attempt to then check the device cert after the user authenticates , I see the same user cert/UPN being used to check for the group that houses the devices AD accounts. Curious if there is a way to use both certs during the auth process. 


Also curious, is there a way to force all user base SSL-VPN connection to source from AlwaysOn ? 

Link to comment
Share on other sites

Certificate based authentication is very different from all other authentication, as it is based on SSL (so it's actually L4): The certificate is used during the set-up of the SSL session. The server will than read the user-name from the client certificate. So there is no chance top use a 2nd certificate to do a 2nd authentication or factor later on.



Johannes Norz


My blog

my Citrix ADC test environment

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...