Gateway 13 Native One Time Passwords (OTP) - …...Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer support nFactor authentication. Older Receivers and older

30/07/2019 Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood

https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/ 1/68

Carl StalhoodFilling gaps in EUC vendor documentation

Native One Time Passwords (OTP) – CitrixGateway 13

Last Modified: May 30, 2019 @ 6:41 pm

7 Comments

Navigation

Change Log

Overview

Citrix ADC Configuration Objects for OTP

AAA vServer

Push Service

LDAP Policies/Actions

nFactor Visualizer

First Factor to select Manage or Authenticate

Second Factor for LDAP before manageotp

Third Factor for manageotp

Second Factor for LDAP before OTP Authentication

Third Factor for OTP Authentication

Bind nFactor Flow to AAA vServer

Number of Registered OTP Devices

Traffic Policy for Single Sign-on

Citrix Gateway and Authentication Profile

Update Content Switching Expression for Unified Gateway

Manageotp User Experience

OTP Authentication User Experience

https://www.carlstalhood.com/

https://www.carlstalhood.com/detailed-change-log/



CLI Commands

Change Log

New OTP features in ADC 13:

Push Notifications

nFactor Visualizer

Maximum number of registered devices per user

Overview

Citrix ADC 13 Native OTP lets you enable two-factor authentication without purchasingany other authentication product. A typical configuration uses Citrix SSO app (mobile VPNClient) to receive push notifications, or Google Authenticator to generate Passcodes. See thefollowing for an overview:

YouTube video NetScaler Unified Gateway One Time Password

Citrix Blog Post NetScaler Unified Gateway Provides One Time Password (OTP),Natively

Citrix CTX228454 NetScaler One Time Password (OTP) Guide for Dual Authenticationor Registration

Here are some notes and requirements for Native OTP:

Licensing – Citrix ADC Native OTP is part of nFactor, and thus requires Citrix ADCAdvanced Edition or Citrix ADC Premium Edition licensing. Citrix ADC StandardEdition licensing is not sufficient.

OTP Push Notifications require ADC Premium Edition

Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer supportnFactor authentication. Older Receivers and older NetScalers don’t support nFactorwith Receiver, so you’ll instead have to use a web browser.

https://www.youtube.com/watch?v=IL_ocv6w8nM

https://www.citrix.com/blogs/2017/07/28/netscaler-unified-gateway-provides-one-time-password-otp-natively/

https://support.citrix.com/article/CTX228454

https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-12/



Citrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor whenauthenticating from the VPN Plug-in.



Push notifications – Citrix ADC 13 and newer supports OTP push notifications oflogon request to the mobile (iOS, Android) Citrix SSO app. Other authenticator apps



are not supported for OTP Push, but they can be used with OTP Passcode.

Authenticator – If not using Citrix SSO app, then Google Authenticator can generatepasscodes. Christian in the comments indicated that Microsoft Authenticator alsoworks. Click on plus sign -> other (Google,…).

Internet for Push – Push notifications requires the Citrix ADC appliance to be able tosend API calls across the Internet to Citrix Cloud.

Active Directory attribute – Citrix ADC stores OTP device enrollment secrets in anstring-based Active Directory attribute. Citrix’s documentation uses theuserParameters Active Directory attribute.

The LDAP bind account must have permission to modify this attribute on everyuser.

The userParameters attribute must not be populated. Active Directory Users &Computers might set the userParameters attribute if you modify any of the RDS

https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/comment-page-1/#comment-7009



property pages.

Enroll multiple devices – Citrix ADC 13 and newer lets you control the number ofdevices that a user can enroll.

Manageotp is difficult to secure – The manageotp website is usually only protectedby single factor authentication so external access must be blocked.

Notes on Citrix ADC Configuration Objects for OTP

Here are some notes on the Citrix ADC OTP configuration objects. Detailed instructions areprovided later.

Make sure NTP is configured on the Citrix ADC. Accurate time is required.

AAA vServer – nFactor requires a AAA vServer, which can be non-addressable. Youdon’t need any additional public IP for OTP.

An Authentication Profile links the AAA vServer to the Citrix Gateway vServer.

Citrix Cloud – For Push notifications, create a Citrix Cloud account. No Citrix Cloudlicensing needed. Citrix ADC uses Cloud API credentials to authenticate with CitrixCloud.

NSC_TASS cookie – To access the manageotp web page, users add /manageotp to theend of the Gateway URL. Citrix ADC puts this URL path into a cookie called NSC_TASS.You can use this cookie and its value in policy expressions for determining whichLogin Schema is shown to the user.

Login Schema for manageotp – The built-in Login Schema file namedSingleAuthManageOTP.xml has hidden fields that enable the manageotp web page.If the Login Schema Policy expression permits the SingleAuthManageOTP.xml LoginSchema to be shown to the user, then after authentication the user will be taken to themanageotp web page.

https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/native-otp-authentication.html#configuring-the-number-of-end-user-devices-for-receiving-otp-notifications

https://www.carlstalhood.com/netscaler-12-system-configuration/#ntp

https://citrix.cloud.com/



LDAP authentication is expected to be bound to the same factor as thisSingleAuthManageOTP login schema.

The next factor is a LDAP Policy/Server with authentication disabled (unchecked)but with arguments specifying the Active Directory attribute for the OTP Secretand Push Service configuration.

Login Schema for OTP authentication – The built-in Login Schema file namedDualAuthPushOrOTP.xml performs the two-factor authentication utilizing the pushservice. There’s a checkbox that lets users choose Passcode instead of Push. This loginschema has a Credential called otppush.



If you prefer to not use Push, then you can use a normal DualAuth.xml LoginSchema file since for passcode authentication there are no special Login Schemarequirements other than collecting two password fields.

Both methods expect an authenticating LDAP Policy/Server to be bound to thesame Factor as the Login Schema.

The next factor should be a non-authenticating LDAP Policy/Server that optionallyhas the the Push Service defined and must have the OTP Secret attribute defined.

Single Sign-on to StoreFront – The OTP dual authentication Login Schema essentiallycollects two passwords (AD password plus push, or AD password plus passcode).Later, Citrix Gateway needs to use the AD password to perform Single Sign-on toStoreFront. To ensure the AD password is used instead of the OTP passcode, configurethe OTP dual authentication Login Schema to store the AD password in a AAAattribute and then use a Citrix Gateway Traffic Policy/Profile to utilize the AAAattribute during Single Sign-on to StoreFront.

nFactor Visualizer – Citrix ADC 13 has a nFactor Visualizer to simplify the OTPconfiguration. Or you can manually create the LDAP Policies/Actions, the LoginSchema Policies/Profiles, the PolicyLabels, and then bind them to a AAA vServer.



AAA Virtual Server

Create a AAA vServer that is the anchor point for our OTP nFactor configuration.

1. Go to Security > AAA – Application Traffic.

2. If the AAA feature is not enabled, then right-click the AAA node, and click EnableFeature.

3. Go to Security > AAA – Application Traffic > Virtual Servers.

4. On the right, click Add.

5. This AAA vServer is for OTP so name it accordingly.

6. Change the IP Address Type to Non Addressable. You don’t need to specify anyadditional IP address.



7. Click the blue OK button.

8. Click where it says No Server Certificate.

a. In the Server Certificate Binding section, click Click to select.

b. Click the radio button next to a certificate, and then click the blue Select button atthe top of the page. You can select the same certificate as the Citrix Gateway



Virtual Server.

c. Click Bind.

9. Click Continue to close the Certificate section.

10. In the Advanced Authentication Policies section, don’t bind anything and just clickContinue. We’ll bind a nFactor Flow later.



11. You can optionally improve the SSL ciphers on this AAA Virtual Server but it’sprobably not necessary since this AAA vServer is not directly addressable.

12. Nothing else is needed at this time so click the blue back arrow on the top left.

Push Service

If your Citrix ADC has Internet access, then you can enable OTP Push Authentication. TheADC must be able to reach the following FQDNs:

mfa.cloud.com

trust.citrixworkspacesapi.net

Create an API Client at citrix.cloud.com:

1. Go to https://citrix.cloud.com and login. Your cloud account does not need any licensedservices.

2. On the top left, click the hamburger (menu) icon, and then click Identity and AccessManagement.

https://citrix.cloud.com/



3. Switch to the tab named API Access.

4. On this page, notice the Customer ID. You’ll need this value later.

5. Enter a name for a new API client and then click Create Client



6. Click Download to download the client credentials.

On ADC 13, create the Push Service:

1. In Citrix ADC 13 management GUI, navigate to the Push Service node. The easiest wayto find it is to enter Push in the search box on the top left.


3. In the Create Push Service page, do the following:

a. Enter a name for the Push Service.

b. Enter the Client ID and Client Secret that you downloaded when creating yourAPI Client.

c. Enter the Customer ID shown on the Create Client web page at cloud.com. Makesure there are no hidden characters or whitespace around the Customer ID.



4. Click Create.

5. On the top right, click the refresh icon until the Status changes to COMPLETE. If itwon’t go past CCTOKEN, then make sure you entered the API Client info correctly,especially the Customer ID, which might have hidden characters around it.

LDAP Actions/Servers

Create three LDAP Actions (aka LDAP Servers):

One LDAP Action for normal LDAP authentication against Active Directory

One LDAP Action to set the OTP Active Directory attribute and register with push

One LDAP Action to perform push authentication (in a dual-authentication flow)

Create normal LDAP Action



1. Go to Security > AAA – Application Traffic > Policies > Authentication > AdvancedPolicies > Actions > LDAP.


3. Create a normal LDAP Server if you don’t have one already. This one hasAuthentication enabled. There are no special instructions for this LDAP Server.

Create LDAP Action for OTP Device Registration

Create the LDAP Action for OTP device registration that sets the OTP Active Directoryattribute and registers with push:

1. Create another LDAP Action.

https://www.carlstalhood.com/netscaler-gateway-12-ldap-authentication/



2. Name it according to this goal: used by the manageotp web site to set the OTPauthenticator in Active Directory.

3. On the right, uncheck the box next to Authentication.

4. Make sure the Administrator Bind DN has permissions to modify the OTP SecretActive Directory attribute for all users. A regular non-admin LDAP Bind account won’twork.

5. If you cloned an existing LDAP Server, then make sure you re-enter the AdministratorPassword or the new LDAP Action won’t work.

6. Click Test LDAP Reachability.

7. Configure the Server Logon Name Attribute to match the one you configured in thenormal authentication LDAP Server.



8. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter thename of the Active Directory attribute where Citrix ADC will store the user’s OTPsecret. You can use the userParameters attribute if that attribute isn’t being used foranything else.

userParameters is populated by Active Directory Users & Computers if you setanything on the RDS tabs (e.g. RDS Roaming Profile).

9. Select the Push Service that you created earlier.

10. Click Create when done.

Create LDAP Action for OTP Authentication

Create a LDAP Action that performs OTP push authentication or verifies the OTP Passcode.The only difference from the prior LDAP Action is the addition of an LDAP Search Filter.

1. Create another LDAP Action.

2. Give the LDAP Action a name.



3. On the right, uncheck the box next to Authentication.

4. Make sure the Administrator Bind DN has permissions to read the OTP Secret ActiveDirectory attribute.

5. If you cloned an existing LDAP Server, then make sure you re-enter the AdministratorPassword or the new LDAP Action won’t work.

6. Click Test LDAP Reachability.

7. In the Other Settings section, configure the Server Logon Name Attribute to matchthe one you configured in the normal authentication LDAP Server.

8. In the Search Filter field, enter the text userParameters>=#@. This syntax ensuresthat only users with enrolled authenticators can login. See George Spiers NetScaler

http://www.jgspiers.com/netscaler-native-otp/



native OTP for more info.

9. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter thename of the Active Directory attribute containing the user’s OTP secret.

10. In the Push Service drop-down, select the Push Service that you already created.

11. Click Create when done.

nFactor Visualizer

We will build a nFactor Flow that looks something like this:

http://www.jgspiers.com/netscaler-native-otp/



First factor on the left chooses either OTP Device Registration or OTP Authentication.If user enters /manageotp, then nFactor Flow takes the top path. Otherwise, nFactorflow takes the bottom path.

Login Schema is not needed for the first factor.

Second factor for Manage OTP = Login Schema with Manage OTP flag and normalLDAP authentication before allowing users to add devices.

Third factor is just an LDAP Policy configured with the OTP Active Directoryattribute and Push Service. No Login Schema needed.

Second factor for OTP Authentication = Login Schema with OTP Push (or OTPPasscode) and normal LDAP authentication.

Third factor is just an LDAP Policy with the OTP Active Directory attribute andPush Service. No Login Schema needed.

nFactor Visualizer notes:

nFactor Visualizer is not required. You can instead follow the older manual ADC 12.1instructions.

It doesn’t seem to be possible to rename any part of the flow once it’s created. Torename, you basically remove the entire flow and rebuild it.

nFactor Visualizer does not support policy expressions for Login Schemas so the olderADC 12.1 instructions must be modified to support two different branches.

Create Flow and first factor that selects Manage or selects Authenticate

1. In ADC 13, go to Security > AAA – Application Traffic > nFactor Visualizer >nFactor Flows. Or search the menu for nFactor.

https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/




3. Click the blue plus icon to create a factor.

4. Name the factor based on this goal: choose manageotp or authenticate based onwhether the user entered /manageotp or not. The name of the first factor is also thename of the nFactor Flow.

5. Click the blue Create button.



6. The first factor does not need a Schema.

7. In the first factor, click where it says Add Policy.

8. In the Choose Policy to Add page, click Add to create an authentication policy.

a. Name this policy according to this goal: if this policy’s expression is true, thenselect the manageotp branch (instead of OTP authentication).

b. For the Action Type drop-down, select NO_AUTHN. This policy is merely adecision point for the next factor so no actual authentication will occur at thistime. The next factor is configured later.

c. In the Expression box, enter something similar to the following. The IP subnetexpression restricts the manageotp web page to only internal users.

http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)



d. Then click the blue Create button.

9. Click the blue Add button to bind this policy to the factor.

10. In the first factor, below the policy you just added, click the blue plus arrow to createanother policy.



11. In the Choose Policy to Add page, click Add to create another policy.

a. Name the policy according to this goal: select the dual factor OTP authenticationbranch.

b. For the Action Type drop-down, select NO_AUTHN. This is a decision point policywithout authentication that leads to the next factor that does the actualauthentication.

c. In the Expression box, enter true to capture all OTP users that did not match theprior manageotp policy.



d. Click the blue Create button.

12. Click Add to bind this policy to the first factor but after (higher priority number) thanthe manageotp policy.

Create second factor for manageotp



1. In the first factor, click the green plus icon to the right of the “SelectManageOTP”policy. If the “SelectManageOTP” policy is true, then this new factor will be evaluated.

2. Name this factor according to this goal: perform single-factor LDAP authenticationbefore allowing access to the manageotp web page.

3. Then click the blue Create button.

4. In the second factor, click where it says Add Schema.



5. In the Choose Schema page, click Add to create a Login Schema.

a. Name the Login Schema according to this goal: ask user for one password thatwill be verified with LDAP (Active Directory) before showing the manageotp webpage.

b. In the Authentication Schema field, click the pencil icon.

c. The existing window expands to show the Login Schema Files. On the left, clickthe LoginSchema folder to see the files in that folder.

d. In the list of files, click SingleAuthManageOTP.xml. This login schema asks forone password and has the special hidden credential to enable the manageotp



web page.

e. To actually select this file, on the top right, click the blue Select button. The LoginSchema window will then collapse so that Login Schema Files are no longershown.

f. Make sure the Authentication Schema field shows the Login Schema file thatyou selected.

g. Then click the blue Create button.



6. Click OK to bind the Schema to the factor.

7. In the second factor, below the Schema, click Add Policy.

8. In the Choose Policy to Add page, if you already have a normal Advanced ExpressionLDAP policy, then select it.

9. Otherwise, click Add to create one.

a. Name this policy according to this goal: perform normal LDAP authenticationagainst an Active Directory domain.

b. In the Action Type drop-down, select LDAP.

c. In the Action drop-down, select the LDAP Action/Server you created earlier thatperforms normal authentication.

d. In the Expression box, enter true, which is an Advanced Expression.



e. Click the blue Create button.

10. Click Add to bind this LDAP Policy to the factor.

Create third factor that registers an OTP device with Active Directory and Push



1. In the second factor, click the green plus icon to create another factor. This new factoris only evaluated if the LDAP Policy is successful.

2. Name the factor according to this goal: register the device with Active Directory andoptionally Push.

3. This factor does not need any Schema.

4. In the third factor, click Add Policy



5. In the Choose Policy to Add page, click Add to create a policy.

a. Name the policy according to this goal: Register OTP devices using LDAP Actionwithout authentication that has the OTP Secret Attribute specified.


c. In the Action drop-down, select the LDAP Action you created earlier that registersnew devices. Make sure authentication is disabled in the LDAP Action, and makesure it has OTP Secret and optionally OTP Push configured.

d. In the Expression field, enter true.




6. Click the blue Add button to bind this policy to the factor.

The Factors for manageotp are complete. Now we build the factors for authenticatingusing OTP.

Create a second factor for LDAP Authentication

1. Go back to the first factor and click the green plus icon next to the OTP Authenticationpolicy.

2. Name the factor according to this goal: ask user for one password + push, or twopasswords, and then perform LDAP authentication. OTP authentication is performed



in the next factor (see below).

3. In the second factor, click where it says Add Schema.

4. In the Choose Schema window, click Add.

a. Name the Login Schema according to this goal: ask for one password + OTP push,or ask for two passwords.



b. In the Authentication Schema field, click the pencil icon.

c. The window expands to show Login Schema Files. On the left, click theLoginSchema folder to see the files under it.

d. On the left, click the DualAuthPushOrOTP.xml file.

e. Or if you don’t want push, then click a normal two password schema likeDualAuth.xml. You can modify the DualAuth.xml file to indicate to the user thatthe OTP Passcode is expected in the second field.

f. Then on the top right click the blue Select button. This causes the Login Schemawindow to collapse and no longer show the Login Schema Files.



g. In the Authentication Schema field, makes sure the correct file name is selected.

h. Click More.

i. At the bottom, in the Password Credential Index field, enter a 1 to save the firstpassword into AAA Attribute 1, which we’ll use later in a Traffic Policy thatperforms Single Sign-on to StoreFront.



j. Then click the blue Create button.

5. Click OK to bind the Schema to the factor.

6. In the second factor, below the schema, click where it says Add Policy.

7. In the Select Policy drop-down, select your normal LDAP Active Directoryauthentication policy. This is the same one you used for the second factor in themanageotp branch.



8. Click the blue Add button to bind this LDAP policy to the second factor.

Create third factor to perform OTP authentication (Push or Passcode)

1. In the second factor, click the green plus icon next to the LDAP Policy to createanother factor.

2. Name the factor according to this goal: perform OTP Push or Passcode authentication.



3. Be aware that the nFactor Visualizer might swap your third factors.

4. This third factor does not need a Login Schema.

5. In the new third factor (probably the top one, follow the arrows), click where itsays Add Policy.

6. In the Choose Policy to Add page, click Add to create a policy.

a. Name this policy according to this goal: perform OTP Push or OTP Passcodeauthentication.


c. In the Action drop-down, select the LDAP action you created earlier that verifiesthe OTP push or passcode. This is the Action that has the LDAP Filter configured.

d. In the Expression box, enter true.




7. Click the blue Add button to bind this policy to the third factor.



8. Click the blue Done button to close the Flow.

Bind nFactor Flow to AAA Virtual Server

1. In the nFactor Flows menu node, highlight the nFactor Flow and click the buttonlabelled Bind to Authentication Server.

2. In the Authentication Server drop-down, select the AAA vServer you created earlier.



3. Everything else should already be filled in so just click the blue Create button.

Maximum Number of Registered OTP Devices

ADC 13 lets you restrict the number of OTP devices each user can register:

1. In the ADC menu, go to Security > AAA – Application Traffic.

2. On the right, click Change authentication AAA OTP Parameter.



3. Enter the number of devices each user can register and then click OK.

4. When the user attempts to register more than the max number of devices, the errormessage is not user friendly.



5. But you can see the actual error by grepping /var/log/ns.log for otp. which mightshow <Max permitted otp devices reached>.

Traffic Policy for Single Sign-on to StoreFront

Create Traffic Profile

1. On the left, go to Citrix Gateway > Policies > Traffic.

2. On the right, switch to the tab named Traffic Profiles, and click Add.

3. Name the Traffic Profile according to this goal: use the AAA attribute 1 as passwordwhen doing Single Sign-on to StoreFront.



4. Scroll down.

5. In the SSO Password Expression box, enter the following which uses the LoginSchema Password Attribute specified earlier.

AAA.USER.ATTRIBUTE(1)


Create Traffic Policy

1. On the right, switch to the tab named Traffic Policies, and click Add.

2. In the Request Profile field, select the Traffic Profile you just created.

3. Name the Traffic Policy.

4. In the Expression box, enter true (Advanced Syntax).

If your Citrix Gateway Virtual Server allows full VPN, change the expression tothe following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSLVPN.

http.req.method.eq(post)||http.req.method.eq(get) && false

https://citrixguyblog.com/2018/03/16/netscaler-otp-is-breaking-ssl-vpn/




Citrix Gateway, Traffic Policy, and Authentication Profile

Note: ADC 13.0 build 36.27 will perform a core dump if AppFlow is enabled on theappliance so make sure AppFlow is disabled under Advanced Features. The coredump seems to happen even if no AppFlow policies are bound to the Gateway VirtualServer.



Edit an existing Citrix Gateway Virtual Server

1. Go to Citrix Gateway > Virtual Servers.

2. Edit an existing Gateway vServer. If you don’t have one, see the other Citrix Gatewaytopics on this site.

Bind the Traffic Policy

1. While editing a Gateway Virtual Server, scroll down to the Policies section, and clickthe plus icon.

2. Change the Choose Policy drop-down to Traffic, and then click the blue Continuebutton.

https://www.carlstalhood.com/netscaler-12/



3. In the Policy Binding section, click Click to select.

4. Click the radio button next to the Traffic Policy you created earlier, and then click theblue Select button at the top of the page.



5. Click the blue Bind button.

Create Authentication Profile

Create and bind an Authentication Profile to link the Gateway Virtual Server to the AAAVirtual Server:

1. While editing a Gateway Virtual Server, on the right, in the Advanced Settingscolumn, click Authentication Profile.

2. On the left, scroll down to the Authentication Profile section.



3. Click Add to create one.

4. Authentication Profile links the Citrix Gateway vServer with the OTP AAA vServer, soname it accordingly.

5. In the Authentication Virtual Server section, click Click to select.

6. Click the radio button next to the OTP AAA vServer, and then click the blue Selectbutton at the top of the page.




8. Scroll down again to the Authentication Profile section, and click the blue OK button.Your selection isn’t saved until you click OK.

9. The Portal Theme bound to the Gateway Virtual Server should be X1, RfWebUI, or aderivative.

Update Content Switching Expression for Unified Gateway

If your Citrix Gateway Virtual Server is behind a Unified Gateway (Content SwitchingVirtual Server), then you must update the Content Switching Expression to include themanageotp paths.

1. In the Citrix ADC GUI, navigate to Configuration> Traffic Management > ContentSwitching > Policies.

2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.

3. Append the following expression under the Expression area, and then click OK.

|| HTTP.REQ.URL.CONTAINS("/manageotp")



Manageotp User Experience

To access the manageotp web page:

1. Point your browser to https://mygateway.corp.com/manageotp or similar. Add/manageotp to the end of your Gateway URL.

2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.

3. Click Add Device.



4. Enter a device name, and click Go.

5. For OTP Push, on your phone, install the Citrix SSO app if it’s not already installed.Then launch it.

a. Switch to the Password Tokens tab and tap Add New Token.



b. Tap Scan QR Code.



c. Then scan the QRCode shown in your browser.

d. You should see the Device Name. Tap Save.

6. If OTP Passcode, launch the Google Authenticator application on your phone. Click theplus icon in Google Authenticator, and scan the QRCode that is shown on the screen.

a. Citrix SSO app also supports passcode.

b. Christian in the comments indicated that Microsoft Authenticator alsoworks. Click on plus sign -> other (Google,…).

7. If you configured OTP Push, then you won’t see a Test button. To display the Testbutton, simply refresh your browser page.

https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/comment-page-1/#comment-7009



8. Click Test.

9. Enter the passcode shown in your Authenticator, and click Go.



a. Citrix SSO app shows the passcode on the main Password Tokens view.

10. When done, on the top right, click your name and Log Off.

11. The OTP registration info is stored in the Active Directory attribute. If users need to re-register, then help desk might need permission to clear this Active Directory attribute.



Perform OTP Authentication

1. If you access your Gateway URL normally, you’ll be prompted for either one passwordor two passwords. If one password, then enter your normal LDAP credentials andCitrix Gateway will send a push notification to your phone. If two passwords, thenenter the OTP passcode in the second field.

2. The push notification is shown on the phone’s lock screen. Tap it to open the CitrixSSO app.





3. Tap Allow to allow the authentication request.



4. Tap OK when prompted with Logon Success.

5. After Gateway authentication, Gateway should Single Sign-on into StoreFront with noadditional password prompts.



CLI Commands

Here’s a complete OTP nFactor Flow (Visualizer) CLI configuration (except encryptedpasswords):

# AAA Global Settings # ------------------- enable ns feature AAA set aaa otpparameter -maxOTPDevices 1 # Push Service # ------------ add authentication pushService cloudPush -namespace "https://mfa.cloud.com/" -clientID b6effb5e-b2d3125 -clientSecret 152c84647b -encrypted -encryptmethod ENCMTHD_3 -CustomerID MyCompan -trustService "https://trust.citrixworkspacesapi.net/" # LDAP Actions # ------------ add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn [email protected] -ldapBindDnPassword a368c -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN add authentication ldapAction OTPRegisterDevice -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn [email protected] -ldapBindDnPassword 1f952a81 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -pushService cloudPush -OTPSecret userParameters add authentication ldapAction LDAPOTPAuthentication -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn [email protected] -ldapBindDnPassword



4319b4d7 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -pushService cloudPush -OTPSecret userParameters # Advanced Authentication Policies # -------------------------------- add authentication Policy _OTP-AAA_OTPManageOrAuthenticate__root_0 -rule true -action NO_AUTHN add authentication Policy SelectManageDevices -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)" -action NO_AUTHN add authentication Policy SelectOTPAuthentication -rule true -action NO_AUTHN add authentication Policy LDAPAdv -rule true -action LDAP-Corp add authentication Policy OTPRegisterDevice -rule true -action OTPRegisterDevice add authentication Policy LDAPOTPAuthentication -rule true -action LDAPOTPAuthentication # Login Schemas # ------------- add authentication loginSchema SinglePasswordForManageOTP -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml" add authentication loginSchema OTPPushOrPasscode -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuthPushOrOTP.xml" -passwordCredentialIndex 1 # Authentication Policy Labels # ---------------------------- add authentication policylabel OTPManageOrAuthenticate__root -loginSchema LSCHEMA_INT bind authentication policylabel OTPManageOrAuthenticate__root -policyName SelectManageDevices -priority 100 -gotoPriorityExpression NEXT -nextFactor AuthenticateToManageDevices__OTPManageOrAuthenticate bind authentication policylabel OTPManageOrAuthenticate__root -policyName SelectOTPAuthentication -priority 110 -gotoPriorityExpression NEXT -nextFactor OTPAuthentication__OTPManageOrAuthenticate add authentication policylabel AuthenticateToManageDevices__OTPManageOrAuthenticate -loginSchema SinglePasswordForManageOTP bind authentication policylabel AuthenticateToManageDevices__OTPManageOrAuthenticate -policyName LDAPAdv -priority 100 -gotoPriorityExpression NEXT -nextFactor OTPDeviceRegistration__OTPManageOrAuthenticate add authentication policylabel OTPAuthentication__OTPManageOrAuthenticate -loginSchema OTPPushOrPasscode bind authentication policylabel OTPAuthentication__OTPManageOrAuthenticate -policyName LDAPAdv -priority 100 -gotoPriorityExpression NEXT -nextFactor OTPPushOrPasscode__OTPManageOrAuthenticate add authentication policylabel OTPDeviceRegistration__OTPManageOrAuthenticate -loginSchema LSCHEMA_INT bind authentication policylabel OTPDeviceRegistration__OTPManageOrAuthenticate -policyName OTPRegisterDevice -priority 100 -gotoPriorityExpression NEXT add authentication policylabel OTPPushOrPasscode__OTPManageOrAuthenticate -



loginSchema LSCHEMA_INT bind authentication policylabel OTPPushOrPasscode__OTPManageOrAuthenticate -policyName LDAPOTPAuthentication -priority 100 -gotoPriorityExpression NEXT # Authentication Virtual Servers # ------------------------------ add authentication vserver OTP-AAA SSL 0.0.0.0 bind authentication vserver OTP-AAA -policy _OTP-AAA_OTPManageOrAuthenticate__root_0 -priority 100 -nextFactor OTPManageOrAuthenticate__root -gotoPriorityExpression NEXT # Authentication Profiles # ----------------------- add authentication authnProfile OTP-AAA -authnVsName OTP-AAA # NetScaler Gateway Session Profiles # ---------------------------------- add vpn sessionAction AC_OS_10.2.4.120 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://xdc01.corp.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://xdc01.corp.local" add vpn sessionAction AC_WB_10.2.4.120 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://xdc01.corp.local/Citrix/StoreWeb" -ClientChoices OFF -ntDomain corp.local -clientlessVpnMode OFF # NetScaler Gateway Session Policies # ---------------------------------- add vpn sessionPolicy PL_OS_10.2.4.120 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" AC_OS_10.2.4.120 add vpn sessionPolicy PL_WB_10.2.4.120 "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" AC_WB_10.2.4.120 # NetScaler Gateway Global Settings # --------------------------------- enable ns feature SSLVPN # NetScaler Gateway Virtual Servers # --------------------------------- add vpn vserver gateway2 SSL 10.2.4.220 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -authnProfile OTP-AAA -vserverFqdn gateway3.corp.com bind vpn vserver gateway2 -portaltheme RfWebUI bind vpn vserver gateway2 -policy LDAP-Corp -priority 100 bind vpn vserver gateway2 -policy PL_OS_10.2.4.120 -priority 100 bind vpn vserver gateway2 -policy PL_WB_10.2.4.120 -priority 100 # SSL Virtual Servers # ------------------- bind ssl vserver gateway2 -certkeyName WildcardCorpCom.cer_CERT_KEY bind ssl vserver gateway2 -eccCurveName P_256 bind ssl vserver gateway2 -eccCurveName P_384 bind ssl vserver gateway2 -eccCurveName P_224 bind ssl vserver gateway2 -eccCurveName P_521 bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom.cer_CERT_KEY



7 thoughts on “Native One Time Passwords (OTP) –Citrix Gateway 13”

Dileep Reddem

May 31, 2019 at 12:07 am

Carl, on this statement “Manageotp is difficult to secure – The manageotpwebsite is usually only protected by single factor authentication so externalaccess must be blocked.” – Gateway can be configured to ask for 2 factorswhen manageotp is accessed externally.

We are updating mainline docs as well to mention this explicitly. Essentially,otp management is presented through nFactor. That means, it could bemade as stringent as required.

Carl Stalhood

May 31, 2019 at 4:49 am

What alternative multi-factor would you recommend for protection ofmanageotp? I wonder if email factor would work.

Morten Kallesoe

June 3, 2019 at 3:36 am

The same actions you use for SSPR should work in this flow aswell.

GyKen H

May 30, 2019 at 10:06 pm

Thank you for the testing. Are you using a windows plugin or MAC CitrixSSOto do the test?

bind ssl vserver OTP-AAA -eccCurveName P_256 bind ssl vserver OTP-AAA -eccCurveName P_384 bind ssl vserver OTP-AAA -eccCurveName P_224 bind ssl vserver OTP-AAA -eccCurveName P_521

May 30, 2019 Carl Stalhood Citrix ADC 13

http://www.netscalerrocks.com/

https://www.carlstalhood.com/native-one-time-passwords-otp-citrix-gateway-13/

https://www.carlstalhood.com/author/cstalhoodgmail-com/

https://www.carlstalhood.com/category/netscaler/citrix-adc-13/



One more question, when I made a change to the login schema, it only affectweb browser login, but not affect plugin login display, right?

Carl Stalhood

May 31, 2019 at 4:51 am

I tried Windows VPN plug-in and it handled nFactor correctly.

GyKen H

May 30, 2019 at 6:19 pm

Amazing quick post!

Actually I have tested these new features in Gateway 13. Including pushnotification, registered device limit, nFactor visualizer, almost everything isworking good. But also, I got some problems here:

1. After I downloaded the latest Windows Gateway Plugin, and connect tomy gateway, there is an script error shown “jQuery is undefined” on theplugin. (https://discussions.citrix.com/topic/403232-windows-gateway-plug-in-error-jquery-is-undefined/)

2. The Gateway 13 release note also noticed that new Windows pluginsupport hostname/FQDN DNS split tunnel. Since my Windows plugin doesn’twork properly, I am not sure whether this is the same feature thatCitrixSSO(MAC) supports.(There is a input box for “domains” onCitrixSSO(MAC) when you add a new gateway connection to the plugin)

3. The push notification is only functioning when you are using webbrowser, i wish it also could support the plugin…..

Carl Stalhood

May 30, 2019 at 6:38 pm

I just tried push notification in the Gateway 13 VPN Client and it worksfine.

https://discussions.citrix.com/topic/403232-windows-gateway-plug-in-error-jquery-is-undefined/



Documents

Gateway 13 Native One Time Passwords (OTP) - …...Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer support nFactor authentication. Older Receivers and older