Product Documentation
Gateway
Current Release 13.1 13.0 12.1
View PDF

Configure client certificate or client certificate and domain authentication

September 15, 2021
Contributed by:
S

You can use the Citrix ADC for Citrix Endpoint Management wizard to perform the configuration required for Citrix Endpoint Management when using Citrix ADC certificate-only authentication or certificate plus domain authentication. You can run the Citrix ADC for Citrix Endpoint Management wizard one time only. For information about using the wizard, seeConfiguring Settings for Your Citrix Endpoint Management Environment.

If you’ve already used the wizard, use the instructions in this article for the addition configuration required for client certificate authentication or client certificate plus domain authentication.

To ensure that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device, see “Citrix ADC Certificate Revocation List (CRL)” later in this article.

Configure Citrix Gateway for client certificate authentication by using the GUI

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.

  2. Select the virtual server of typeSSL, and in theSSL Parameterssection setEnable Session ReuseasDISABLED.

    SSL parameters page

  3. Navigate toCitrix Gateway > Virtual Servers.
  4. Select the virtual server of typeSSL, and clickEdit.
  5. In theSSL Parameterssection, click the edit icon.

  6. SelectClient Authenticationand inClient Certificate, selectMandatory.

    SSL parameter details

  7. Create an authentication certificate policy so Citrix Endpoint Management can extract theUser Principal Nameor thesAMAccountfrom the client certificate provided by Secure Hub to Citrix Gateway.

  8. Navigate toCitrix Gateway> Policies> Authentication > CERT.

  9. Click theProfilestab and clickAdd.

  10. Set the following parameters for the certificate profile:

    Authentication Type:CERT

    Two Factor:OFF(for certificate only authentication)

    User Name Field: Subject:CN

    Group Name Field:SubjectAltName:PrincipalName

    Profile details

  11. Bind only the certificate authentication policy as thePrimary Authenticationin the Citrix Gateway virtual server.

    Binding the policy

  12. Bind the Root CA certificate to validate the trust of the client certificate presented to Citrix Gateway.

Configure Citrix Gateway for client certificate and domain authentication by using the GUI

  1. Navigate toTraffic Management > Load Balancing > Virtual Servers.

  2. Select the virtual server of typeSSL, and in theSSL Parameterssection setEnable Session ReuseasDISABLED.

    SSL parameters page

  3. Go toCitrix Gateway > Policies > Authentication > Cert.

  4. Click theProfilestab , clickAdd.

    Click to add a certificate server

  5. Enter theNameof the profile, setTwo FactortoON, and fromUser Name Field, selectSubjectAltNamePrincipalName.

    Certificate server details

  6. Click thePoliciestab and clickAdd.

  7. Enter theNameof the policy, from爵士verselect the certificate profile, set theExpressionand clickCreate.

    Enter the expression

  8. Go toVirtual Servers, select the virtual server of typeSSL, and clickEdit.

  9. BesideAuthentication, click+to add the certificate authentication.

  10. To select the authentication method,InChoose Policy, selectCertificate, and inChoose TypeselectPrimary. This binds certificate authentication as the primary authentication with the priority same as the LDAP authentication type.

    Primary authentication type

  11. UnderPolicy Binding, clickClick to Selectto select the certificate policy created earlier.

  12. Select the certificate policy created earlier and clickOK.

  13. Set thePriorityto100and then clickBind. Use the same priority number when you configure the LDAP authentication policy in the subsequent steps.

    Select priority

  14. On the row forLDAP Policy, click>.

  15. Select the policy and then, from theEditdrop-down menu, clickEdit Binding.

  16. Enter the samePriorityvalue that you specified for the certificate policy. ClickBind.

    Enter the same priority

  17. ClickClose.

    Binding complete

  18. Click the edit icon inSSL Parameterssection.

  19. Select theClient Authenticationcheck box, and inClient CertificatechooseMandatory, and clickOK.

    Make client certificate mandatory

  20. ClickDone.

    Configuration complete

Citrix ADC Certificate Revocation List (CRL)

Citrix Endpoint Management supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, Citrix Endpoint Management uses Citrix ADC to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix ADC Certificate Revocation List (CRL) setting,Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device. Citrix Endpoint Management reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Configure client certificate or client certificate and domain authentication
September 15, 2021
Contributed by:
S
September 15, 2021
Contributed by:
S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.