PoC Guide: nFactor for Citrix Gateway Authentication with Push Token

Introduction

Time Based One Time Passwords (TOTP) are an increasingly common method to provide an authentication that can increase security posture with other factors. TOTP with PUSH takes advantage of mobile devices by allowing users to receive and accept authentication validation requests at their fingertips. The exchange is secured by applying a hash to a shared key, distributed during setup.

Citrix网关支持OTP的推送通知and, can provide authentication for various services including web services, VPN, and Citrix Virtual Apps and Desktops. In this POC Guide we demonstrate using it for authentication in a Citrix Virtual Apps and Desktops environment.

Overview

This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with Citrix Gateway. It uses LDAP to validate Active Directory credentials as the first factor and use Citrix Cloud Push Authentication as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.

It makes assumptions about the completed installation and configuration of the following components:

• Citrix Gateway installed, licensed, and configure with an externally reachable virtual server bound to a wildcard certificate.
• Citrix Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
• Citrix Cloud account established
• Endpoint with Citrix Workspace app installed
• Mobile device with Citrix SSO app installed
• Active Directory (AD) is available in the environment

Refer to Citrix Documentation for the latest product version and license requirements.PUSH Authentication

Citrix Gateway

nFactor

1. Log in to the Citrix ADC UI
2. Navigate toTraffic Management > SSL> Certificates > All Certificatesto verify you have your domain certificate installed. In this POC example we used a wildcard certificate corresponding to our Active Directory domain. SeeCitrix ADC SSL certificatesfor more information.

Push service action

1. Next navigate toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > Push service
2. Select Add
3. Populate the following fields and click OK:
   • Name - a unique value.We will enter values in the following fields to integrate with Citrix Cloud - PUSH Service
   • Log in to Citrix Cloud and navigate toIdentity and Access Management > API Access
   • 为推动服务创建一个唯一的名称和希利ct create clientNow we will copy and paste these values to our Citrix ADC policy to integrate with Citrix Cloud - PUSH Service
   • Client ID - copy & paste the Client ID from the Citrix Cloud ID and secret popup
   • Client Secret - copy & paste the Client ID from the Citrix Cloud ID and secret popup
   • Select Close
   • Customer ID - copy & paste the Client ID from the Citrix Cloud Identity and Access Management API Access page
4. Click Create

LDAP - authentication action

1. Next navigate toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
2. Select Add
3. Populate the following fields
   • Name - a unique value
   • Server Name / IP address - select an FQDN or IP address for AD server/(s). We enter192.0.2.50_LDAP
   • Base DN - enter the path to the AD user container. We enterOU=Team Accounts, DC=workspaces, DC=wwco, DC=net
   • Administrator Bind DN - enter the admin/service account to query AD to authenticate users. We enterworkspacesserviceaccount@workspaces.wwco.net
   • Confirm / Administrator Password - enter / confirm the admin / service account password
   • Server Logon Name Attribute - in the second field below this field enteruserPrincipalName
4. Select CreateFor more information seeLDAP authentication policies

LDAP - token storage action

1. Next navigate toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > LDAP
2. 选择LDAP操作上面创建并选择create
3. Append OTP or any identifier to the name and unselect authentication
4. 在Connection Settings verify the Base DN, Administrator Bind DN, and Password.Be sure that the administrator user or service account is a member of domain administrators. This policy will be used to write the token registered by the user`s authenticator app in the userParameters attribute of their user object.
5. Scroll down to Other Settings
   • OTP Secret - enteruserParameters
   • Push Service - select the PUSH service policy created above
6. Select Create

nFactor

1. Next navigate toSecurity > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
2. Select Add and select the plus sign in the Factor box
3. Enter nFactor_OTP and select create

nFactor - Registration Flow

1. Select Add Policy and select Add again next to Select Policy
2. EnterauthPol_OTPReg
3. Under Action Type selectNO_AUTHN
4. Select Expression Editor and build the expression by selecting the following in the drop-down menus offered:
   • HTTP
   • REQ
   • COOKIE.VALUE(String) = NSC_TASS
   • EQ(String) = manageotp
5. Select Done, followed by Create, followed by Add
6. Select the green plus sign next to the authPol_OTPReg policy to create a factor
7. EnterOTPRegADand select Create
8. In the box created select Add Schema
9. Select Add and enterlschema_SingleRegOTP
10. Under Schema Files navigate to LoginSchema, and selectSingleAuthManageOTP.xml
11. Select the blue select button, followed by Create, followed by OK
12. In the same box select Add Policy and select Add again next to Select Policy
13. Enter authPol_LDAP for the name
14. Under Action Type select LDAP
15. Under Action select your first LDAP authentication action. We use192.0.2.50_LDAP
16. Under Expression enter true
17. Select Create followed by Add
18. Select the green plus sign next to theauthPol_LDAP policyto create a factor
19. EnterOTPRegDeviceand select Create
20. In the same box select Add Policy and select Add again next to Select Policy
21. EnterauthPol_OTPAuthDevicefor the name
22. Under Action Type select LDAP
23. Under Action select your newly created (second) LDAP authentication action. We use192.0.2.50_LDAP_OTP
24. Under Expression enter true
25. Select Create followed by Add

nFactor - Authentication Flow

1. Select the blue plus sign under theauthPol_OTPRegpolicy
2. EnterauthPol_OTPAuth
3. Under Action Type selectNO_AUTHN
4. Under Expression enter true
5. Select Create
6. Select the green plus sign next to theauthPol_OTPAuthpolicy to create a factor
7. EnterOTPAuthAD
8. Select Create
9. In the box created select Add Schema
10. Select Add and enterlschema_DualAuthOTP
11. Under Schema Files navigate to LoginSchema, and selectDualAuthPushOrOTP.xml
12. Select the blue select button, followed by Create, followed by OK
13. In the same box select Add Policy
14. Select the policy we created during the setup of the Registration flow that maps to your first LDAP authentication action. We useauthPol_LDAP
15. Select Add
16. Select the green plus sign next to theauthPol_Ldappolicy to create a factor
17. EnterOTPAuthDeviceThis Factor will use the OTP token to perform the 2nd factor authentication
18. Select Create
19. In the same box select Add Policy
20. Select the policyauthPol_OTPAuthDevicethat we created during setup of the Registration flow
21. Select Add
22. Now we`ve completed the nFactor flow setup and can click Done

Citrix ADC Authentication, Authorization,and Auditing (Citrix ADC AAA) virtual server

1. Next navigate toSecurity > AAA - Application Traffic > Virtual Serversand select Add
2. Enter the following fields and click OK:
   • Name - a unique value
   • IP Address Type -Non Addressable
3. Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
4. Select No nFactor Flow
5. Under Select nFactor Flow click the right arrow, select thenFactor_OTPflow created earlier
6. Click Select, followed by Bind

Citrix Gateway - virtual server

1. Next navigate toCitrix Gateway > Virtual Servers
2. Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
3. Select Edit
4. Under Basic Authentication - Primary Authentication select LDAP Policy
5. Check the policy, select Unbind, select Yes to confirm, and select Close
6. Under the Advanced Settings menu on the right select Authentication Profile
7. Select Add
8. Enter a name. We enterPUSH_auth_profile
9. Under Authentication virtual server click the right arrow, and select the Citrix ADC AAA virtual server we createdPUSH_Auth_Vserver
10. Click Select, and Create
11. Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed
12. Click Done

User Endpoint

Now we test PUSH by registering a mobile device and authenticating into our Citrix Virtual Apps and Desktops environment.

Registration with Citrix SSO app

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway with /manageotp appended to the end of the FQDN. We usehttps://gateway.workspaces.wwco.net/manageotp
2. After your browser is redirected to a login screen enter user UPN and password
3. On the next screen select Add Device, enter a name. We useiPhone7
4. Select Go and a QR code will appear
5. On your mobile device open your Citrix SSO app which is available for download from apps stores
6. Select Add New Token
7. Select Scan QR Code
8. Select Aim your camera at the QR Code and once it`s captured select Add
9. Select Save to store the token
10. The Token is now active and begins displaying OTP codes at 30 second intervals
11. Select Done and you will see confirmation that the device was added successfully

Citrix Virtual Apps and Desktops Authentication, Publication, and Launch

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway. We usehttps://gateway.workspaces.wwco.net
2. After the your browser is redirected to a login screen enter user UPN and password. On this screen you see the option to Click to input OTP manually if for some reason your camera is not working
3. On your mobile device in your Citrix SSO app select OK to confirm PUSH authentication
4. Verify the users virtual apps, and desktops are enumerated, and launch once logged in

Summary

With Citrix Workspace and Citrix Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Users can get access to all of their Workspaces resources by entering their standard domain user and password and simply confirming their identity with the push off a button in the Citrix SSO app on their mobile device.

References

For more information refer to:

Authentication Push– watch a Tech Insight video regarding the use of TOTP to improve authentication security for your Citrix Workspace

Authentication - On-Premises Citrix Gateway– watch a Tech Insight video regarding integrating with on-premises Citrix Gateway to improve authentication security for your Citrix Workspace