Introduction
Time Based One Time Passwords (TOTP) are an increasingly common method to provide an authentication that can increase security posture with other factors. TOTP with PUSH takes advantage of mobile devices by allowing users to receive and accept authentication validation requests at their fingertips. The exchange is secured by applying a hash to a shared key, distributed during setup.
Citrix Gateway supports push notifications for OTP and, can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.
Overview
This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with Citrix Gateway. It uses LDAP to validate Active Directory credentials as the first factor and use Citrix Cloud Push Authentication as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.
It makes assumptions about the completed installation and configuration of the following components:
- Citrix Gateway installed, licensed, and configure with an externally reachable virtual server bound to a wildcard certificate.
- Citrix Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
- Citrix Cloud account established
- Endpoint with Citrix Workspace app installed
- Mobile device with Citrix SSO app installed
- Active Directory (AD) is available in the environment
Refer to Citrix Documentation for the latest product version and license requirements. PUSH Authentication
Citrix Gateway
nFactor
- Log in to the Citrix ADC UI
- Navigate to Traffic Management > SSL> Certificates > All Certificates to verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. See Citrix ADC SSL certificates for more information.
Push service action
-
Next navigate to
Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Push service
- Select Add
-
Populate the following fields and click OK:
- Name - a unique value. We will enter values in the following fields to integrate with Citrix Cloud - PUSH Service
- Log in to Citrix Cloud and navigate to Identity and Access Management > API Access
- Create a unique name for the push service and select create client Now we will copy and paste these values to our Citrix ADC policy to integrate with Citrix Cloud - PUSH Service
- Client ID - copy & paste the Client ID from the Citrix Cloud ID and secret popup
- Client Secret - copy & paste the Client ID from the Citrix Cloud ID and secret popup
- Select Close
- Customer ID - copy & paste the Client ID from the Citrix Cloud Identity and Access Management API Access page
- Click Create
LDAP - authentication action
-
Next navigate to
Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
- Select Add
-
Populate the following fields
- Name - a unique value
-
Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter
192.0.2.50_LDAP
-
Base DN - enter the path to the AD user container. We enter
OU=Team Accounts, DC=workspaces, DC=wwco, DC=net
-
Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enter
workspacesserviceaccount@workspaces.wwco.net
- Confirm / Administrator Password - enter / confirm the admin / service account password
-
Server Logon Name Attribute - in the second field below this field enter
userPrincipalName
- Select Create For more information see LDAP authentication policies
LDAP - token storage action
-
Next navigate to
Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
- Select the LDAP action created above and select create
- Append OTP or any identifier to the name and unselect authentication
- Under Connection Settings verify the Base DN, Administrator Bind DN, and Password. Be sure that the administrator user or service account is a member of domain administrators. This policy will be used to write the token registered by the user`s authenticator app in the userParameters attribute of their user object.
- Scroll down to Other Settings
- Select Create
nFactor
-
Next navigate to
Security > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
- Select Add and select the plus sign in the Factor box
- Enter nFactor_OTP and select create
nFactor - Registration Flow
- Select Add Policy and select Add again next to Select Policy
-
Enter
authPol_OTPReg
-
Under Action Type select
NO_AUTHN
-
Select Expression Editor and build the expression by selecting the following in the drop-down menus offered:
-
HTTP
-
REQ
-
COOKIE.VALUE(String) = NSC_TASS
-
EQ(String) = manageotp
-
- Select Done, followed by Create, followed by Add
- Select the green plus sign next to the authPol_OTPReg policy to create a factor
-
Enter
OTPRegAD
and select Create - In the box created select Add Schema
-
Select Add and enter
lschema_SingleRegOTP
-
Under Schema Files navigate to LoginSchema, and select
SingleAuthManageOTP.xml
- Select the blue select button, followed by Create, followed by OK
- In the same box select Add Policy and select Add again next to Select Policy
- Enter authPol_LDAP for the name
- Under Action Type select LDAP
-
Under Action select your first LDAP authentication action. We use
192.0.2.50_LDAP
- Under Expression enter true
- Select Create followed by Add
-
Select the green plus sign next to the
authPol_LDAP policy
to create a factor -
Enter
OTPRegDevice
and select Create - In the same box select Add Policy and select Add again next to Select Policy
-
Enter
authPol_OTPAuthDevice
for the name - Under Action Type select LDAP
-
Under Action select your newly created (second) LDAP authentication action. We use
192.0.2.50_LDAP_OTP
- Under Expression enter true
- Select Create followed by Add
nFactor - Authentication Flow
-
Select the blue plus sign under the
authPol_OTPReg
policy -
Enter
authPol_OTPAuth
-
Under Action Type select
NO_AUTHN
- Under Expression enter true
- Select Create
-
Select the green plus sign next to the
authPol_OTPAuth
policy to create a factor -
Enter
OTPAuthAD
- Select Create
- In the box created select Add Schema
-
Select Add and enter
lschema_DualAuthOTP
-
Under Schema Files navigate to LoginSchema, and select
DualAuthPushOrOTP.xml
- Select the blue select button, followed by Create, followed by OK
- In the same box select Add Policy
-
Select the policy we created during the setup of the Registration flow that maps to your first LDAP authentication action. We use
authPol_LDAP
- Select Add
-
Select the green plus sign next to the
authPol_Ldap
policy to create a factor -
Enter
OTPAuthDevice
This Factor will use the OTP token to perform the 2nd factor authentication - Select Create
- In the same box select Add Policy
-
Select the policy
authPol_OTPAuthDevice
that we created during setup of the Registration flow - Select Add
- Now we`ve completed the nFactor flow setup and can click Done
Citrix ADC Authentication, Authorization,and Auditing (Citrix ADC AAA) virtual server
-
Next navigate to
Security > AAA - Application Traffic > Virtual Servers
and select Add - Enter the following fields and click OK:
- Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
- Select No nFactor Flow
-
Under Select nFactor Flow click the right arrow, select the
nFactor_OTP
flow created earlier - Click Select, followed by Bind
Citrix Gateway - virtual server
-
Next navigate to
Citrix Gateway > Virtual Servers
- Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
- Select Edit
- Under Basic Authentication - Primary Authentication select LDAP Policy
- Check the policy, select Unbind, select Yes to confirm, and select Close
- Under the Advanced Settings menu on the right select Authentication Profile
- Select Add
-
Enter a name. We enter
PUSH_auth_profile
-
Under Authentication virtual server click the right arrow, and select the Citrix ADC AAA virtual server we created
PUSH_Auth_Vserver
- Click Select, and Create
- Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed
- Click Done
User Endpoint
Now we test PUSH by registering a mobile device and authenticating into our Citrix Virtual Apps and Desktops environment.
Registration with Citrix SSO app
-
Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway with /manageotp appended to the end of the FQDN. We use
https://gateway.workspaces.wwco.net/manageotp
- After your browser is redirected to a login screen enter user UPN and password
-
On the next screen select Add Device, enter a name. We use
iPhone7
- Select Go and a QR code will appear
- On your mobile device open your Citrix SSO app which is available for download from apps stores
- Select Add New Token
- Select Scan QR Code
- Select Aim your camera at the QR Code and once it`s captured select Add
- Select Save to store the token
- The Token is now active and begins displaying OTP codes at 30 second intervals
- Select Done and you will see confirmation that the device was added successfully
Citrix Virtual Apps and Desktops Authentication, Publication, and Launch
-
Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway. We use
https://gateway.workspaces.wwco.net
- After the your browser is redirected to a login screen enter user UPN and password. On this screen you see the option to Click to input OTP manually if for some reason your camera is not working
- On your mobile device in your Citrix SSO app select OK to confirm PUSH authentication
- Verify the users virtual apps, and desktops are enumerated, and launch once logged in
Summary
With Citrix Workspace and Citrix Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can get access to all of their Workspaces resources by entering their standard domain user and password and simply confirming their identity with the push off a button in the Citrix SSO app on their mobile device.
References
For more information refer to:
Authentication Push – watch a Tech Insight video regarding the use of TOTP to improve authentication security for your Citrix Workspace
Authentication - On-Premises Citrix Gateway – watch a Tech Insight video regarding integrating with on-premises Citrix Gateway to improve authentication security for your Citrix Workspace
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now