PoC Guide: nFactor for Citrix Gateway Authentication with Native OTP

Introduction

Implementing multifactor authentication is one of the best ways to verify identity, and improve security posture. Native (time-based) One Time Password (OTP) is a convenient way to implement another factor using readily available authenticator applications. It allows users to enter validation codes from their authenticator application, into a gateway form, to authenticate.

Citrix Gateway supports Native OTP, and can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.

Conceptual Architecture

Overview

This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with Citrix Gateway. It uses LDAP to validate Active Directory credentials as the first factor, and Native OTP as the second factor.

It makes assumptions about the completed installation, and configuration of the following components:

• Citrix Gateway installed, licensed, and configured with an externally reachable virtual server bound to a wildcard certificate
• Citrix Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
• Endpoint with Citrix Workspace app installed
• A supported Authenticator app, that supports Time Based OTP, installed (including Microsoft Authenticator, Google Authenticator, or Citrix SSO)
• Active Directory (AD) is available in the environment

Refer to Citrix Documentation for the latest product version, and license requirements:Native OTP Authentication

nFactor

LDAP Policies

First we create two LDAP policies which we reference later when we are building our nFactor flow.

Native OTP Registration

This LDAP registration policy is used to exchange, and store the key used to generate the time based OTP code.

1. Log in to the Citrix ADC UI
2. Navigate toSecurity > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Policy
3. ClickAdd
4. Enterpolldap_notpmanagefor the policy name, and change the Action Type toLDAP.
5. ClickAddunder Action
6. Populate the following fields:
   • Name - enteractldap_notpmanage
   • Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter192.0.2.50
   • ClearAuthenticationThis setting along with the OTP Secret below indicate the policy will set, rather than get, object attributes
   • Base DN - enter the path to the AD user container. We enterDC=workspaces, DC=wwco, DC=net
   • Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enterworkspacessrv@workspaces.wwco.net
   • 确认/管理员密码——输入/确认the admin / service account password
   • Click Test Network Connectivity to ensure connection
   • Server Logon Name Attribute - in the second field below this field enteruserPrincipalName
   • OTP Secret - EnteruserParametersThis is the User’s LDAP object that will get updated with the key that`s used with hash to generate the time based OTP code
7. Select Create
8. Enter the expressiontrue, and clickOK

Native OTP Authentication

This LDAP authentication policy is used to do the first factor authentication.

1. Navigate toSecurity > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Policy
2. ClickAdd
3. Enterpolldap_notpauthfor the policy name, and change the Action Type toLDAP.
4. ClickAddunder Action
5. Populate the following fields:
   • Name - enteractldap_notpauth
   • Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter192.0.2.50
   • Base DN - enter the path to the AD user container. We enterDC=workspaces, DC=wwco, DC=net
   • Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enterworkspacessrv@workspaces.wwco.net
   • 确认/管理员密码——输入/确认the admin / service account password
   • Click Test Network Connectivity to ensure connection
   • Server Logon Name Attribute - in the second field below this field enteruserPrincipalName
6. Select Create
7. Enter the expressiontrue, and clickOK

For more information seeLDAP authentication policies

Login Schemas

Login Schemas are used when data needs to be gathered on behalf of a policy.

Native OTP lSchema - Single Authentication

This registration login schema corresponds to the LDAP registration policy.

1. Navigate toSecurity > AAA-Application Traffic > Login Schema
2. Select theProfiletab
3. ClickAddunder Profile, and name itprolschema_notpsingle
4. Click the pencil icon next tonoschema
5. ClickLogin Schema, and scroll down to selectSingleAuthManageOTP.xml, and select the blueSelectin the right corner.
6. ClickCreate

Native OTP lSchema - Dual Authentication

This registration login schema corresponds to the dual factor authentication where the user enters both their password, and the OTP passcode.

1. Under theProfiletab clickAddagain
2. Enter the namepollschema_notpdual
3. ClickAddunder Profile, and also name itprolschema_notpdual
4. Click the pencil icon next tonoschema
5. ClickLogin Schema, and scroll down to selectDualAuth.xml, and select the blueSelectin the right corner.
6. ClickMore
7. In the fieldPassword Credential Indexenter1
8. ClickCreate

Native OTPAAAVirtual Server - Visualizer Flow

1. Next navigate toSecurity > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
2. ClickAdd
3. Click the+sign to create the initial factor.This factor will not take action, rather handle directing incoming traffic to registration or authentication factor flows.
4. Enterfactor0-notp, and clickCreate

Registration Flow

1. SelectAdd Policy
2. SelectAddnext toSelect Policy
3. Enter namepolfactor0-notpmanage
4. Set theAction TypetoNO_AUTHN
5. Paste inHTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”)for the expression OR build it with Expression builderYou can optionally limit registration to endpoints on the internal network by adding a source IP address criteria such ashttp.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.0.0.0/8)
6. ClickCreate, followed byAdd
7. Select the green+to the right of thepolfactor0-notpmanagepolicy you just created
8. Enterfactor1-notpmanage, and clickCreate
9. In the new factor box, selectAdd Schema
10. Selectprolschema_notpsingle, and clickOk
11. SelectAdd Policy
12. From the drop-down list underSelect Policyselectpolldap_notpauth, and clickAdd
13. Select the green+to the right of thepolldap_notpauthpolicy
14. Enterfactor2-notpmanage, and clickCreate
15. In the new factor box, selectAdd Policy
16. From the drop-down list underSelect Policyselectpolldap_notpmanage, and clickAdd

Authentication Flow

1. Now in the initial factor box we createdfactor0-notp, select the blue+
2. SelectAddnext toSelect Policy
3. Enter namepolfactor0-notpauth
4. Set theAction Typeto NO_AUTHN
5. Entertruefor the expression
6. ClickCreate, followed byAddNotice that the policy priority has increased to 110 meaning it will be executed only if the above policypolfactor0-notpmanageat 100 is not a match.
7. Select the green+to the right of thepolfactor0-notpauthpolicy you just created
8. Enterfactor1-notpauth, and clickCreate
9. In the new factor box, selectAdd Schema
10. Selectprolschema_notpdual, and clickOk
11. SelectAdd Policy
12. From the drop-down list underSelect Policyselectpolldap_notpauth, and clickAdd
13. Select the green+to the right of thepolldap_notpauthpolicy you just created
14. EnterOTPCheck, and clickCreate
15. SelectAdd Policy
16. From the drop-down list underSelect Policyselectpolldap_notpmanage, and clickAdd
17. SelectDone

Native OTPAAAVirtual Server

ThisAAAVirtual Server is where the policies and schema are bound with the appropriate priority.

1. Navigate toTraffic Management > SSL> Certificates > All Certificatesto verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. SeeCitrix ADC SSL certificatesfor more information.
2. Next navigate toSecurity > AAA - Application Traffic > Virtual Servers, and select Add
3. Enter the following fields:
   • Name - a unique value. We enternativeotp_authvserver
   • IP Address Type -Non Addressable
4. ClickOk
5. Select No Server Certificate, select the arrow underSelect Server Certificate, select the domain certificate, click Select, Bind, and Continue
6. UnderAdvanced Authentication Policies, selectNo Nfactor Flow
7. Select the right arrow underSelect nFactor Flow, selectfactor0_notp, clickSelect, clickBind
8. ClickContinue, followed byDone

Traffic Policy

Now we create a traffic policy to relay the LDAP password to StoreFront, instead of the OTP passcode.

1. Navigate toCitrix Gateway > Virtual Servers > Policies > Traffic
2. Select theTraffic ProfilesTab, and click Add
3. Enter the namenotp_trafficprofile
4. SelectHTTP
5. In the SSO Password Expression enterhttp.REQ.USER.ATTRIBUTE(1)
6. Click Create
7. Now click the Traffic Policies Tab
8. In the Request Profile field, select thenotp_trafficprofileTraffic Profile you just created.
9. Enter the namenOTP_TrafficPolicy
10. In the Express box entertrue
11. ClickCreate

Gateway Virtual Server

The Gateway Virtual Server is bound to the Native OTPAAAVirtual Server to provide authentication for Citrix Virtual Apps and Desktops.

1. Navigate toCitrix Gateway > Virtual Servers
2. Select your current Gateway, and clickEdit
3. Select Authentication Profile from the Advanced Settings panel on the right hand side
4. SelectAdd
5. Enter a profile name. We enternativeotp_authprofile
6. Under Policy select the arrow, and select the Native OTPAAAVirtual Servernativeotp_authvserver
7. ClickCreate
8. Select Policies from the Advanced Settings panel on the right hand side
9. Select the+sign to Add
10. Under选择政策selectTraffic,在Choose TypeselectRequest. The selectContinue
11. Click the right arrow, selectnotp_trafficpolicy, and selectOK
12. ClickDone, and save the running configuration

User Endpoint

Now we test Native OTP by authenticating into our Citrix Virtual Apps and Desktops environment.

Registration with Citrix SSO app

First the user registers their device for Native OTP using the Citrix SSO app.

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway with/manageotpappended to the end of the FQDN. We usehttps://gateway.workspaces.wwco.net/manageotp
2. After your browser is redirected to a login screen enter user UPN, and password
3. On the next screen select Add Device, enter a name. We useiPhone7_nOTP
4. Select Go, and a QR code appears
5. On your mobile device open your Citrix SSO app or other authenticator app such as Microsoft or Google’s (available for download from app stores)
6. Select Add New Token
7. Select Scan QR Code
8. Select Aim your camera at the QR Code, and once it`s captured select Add
9. Select Save to store the token
10. The Token is now active, and begins displaying OTP codes at 30 second intervals
11. Select Done and you see confirmation that the device was added successfully

Citrix Virtual Apps and Desktops Authentication, Publication, and Launch

Then the user enters their UserPrincipalName, Password, and the OTP Passcode from the Citrix SSO app to access their virtual apps, and desktops.

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway. We usehttps://gateway.workspaces.wwco.net
2. After your browser is redirected to a login screen enter user UserPrincipalName, and password
3. Open the Citrix SSO app enter the OTP code in the passcode field for theiPhone7_nOTPdevice entry
4. Verify the users virtual apps, and desktops are enumerated, and launch once logged in

Troubleshooting

Here we look at a couple common troubleshooting areas for Native OTP.

NTP Errors

Upon login with your OTP code the page may post a message advising you to verify NTP synchronization. The Citrix ADC’s time must be sync in order to generate the correct time based OTP. If you have not implemented NTP follow these steps:

• Set the time manually on your Citrix ADCto the current time.This will speed up the synchronization that would otherwise take a longer period time
• Add NTP Server/s
• If you still get an NTP error upon submitting the OTP code seeTime Display on NetScaler Does Not Sync Using NTP

Authentication Errors

• Cannot complete your request.- if this error message occurs after successful authentication it likely indicates an error passing user credentials to StoreFront. Verify the Dual Authentication schema and Traffic Policy settings.
• Try again or contact your help desk- this error message often indicates a LDAP login failure.If you have verified the password is correct verify the Administrator bind password has been set. You may have had an existing LDAP authentication policy, and created the manage policy by selecting it, followed by selecting add. This step saves time by populating existing settings like theBase DN, and you may see the Administrator password field appears to be populated, but you MUST reenter the password.

Summary

With Citrix Workspace, and Citrix Gateway, Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can gain access to their Citrix Virtual Apps and Desktops, by entering their domain user name, and password, and then simply confirming their identity by entering a One Time Password from their registered authenticator app.

References

For more information refer to:

Native OTP Authentication– find more details regarding Native OTP implementation, and use cases.