Jump to content
Welcome to our new Citrix community!

Citrix Netscaler DUO MFA Workspace App Double Password Entry

Recommended Posts

Using DUO for MFA on a Citrix Netscaler (ADC) and latest current release of Citrix Workspace app.  If Citrix Gateway primary authentication is set to RADIUS for both Web and Receiver then there are no problems.  If Citrix Gateway primary authentication is LDAP and secondary authentication is RADIUS then the Citrix Workspace app has two password fields and the password needs to be entered twice, after which a DUO push notification request is automatically sent and the authentication process complete.  For the Web prior to adding a rewrite action we had two password fields as well.  We understand the rewrite action surprises the 2nd password field for the Web, but how can we do the same in Workspace? 


bind vpn vserver VirtualServer -policy LDAP_Pol

bind vpn vserver VirtualServer -policy DUOCitrixWebPolicy -priority 100 -secondary
bind vpn vserver VirtualServer -policy DUOCitrixReceiverPolicy -priority 110 -secondary


enable ns feature rewrite
add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all "HTTP.RES.BODY(99999)" "\"\\r\\n\"+\n\"<style type=\\\"text/css\\\">\\r\\n\"+\n\"[for=\\\"passwd1\\\"] { display: none;}\\r\\n\"+\n\"#passwd1 { display: none; }\\r\\n\"+\n\"</style>\\r\\n\"+\n\"\\r\\n\"+\n\"</body>\\r\\n\"+\n\"</html>\\r\\n\"" -search "text(\"</body>\n</html>\")"
add rewrite policy RWP-RES-REMOVE_2ND_PASSWORD "HTTP.REQ.URL.PATH.CONTAINS(\"/logon/themes/CorpTheme/index.html\")" RWA-RES-REMOVE_2ND_PASSWORD
bind vpn vserver VirtualServer -policy RWP-RES-REMOVE_2ND_PASSWORD -priority 100 -gotoPriorityExpression END -type RESPONSE


Link to comment
Share on other sites

The easiest way is to use advanced authentication, meaning to use an aaa authentication profile which is linked to your gateway vserver. Advanced authentication is taking place on browser engine, so your workspace app login will look like a login in a modern browser - so there are no issues with wrong our double password fields. You are able to use restricted AAA (exactly for this usecase) also with a Standard license, too.


Best Regards


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...