Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 1/13
Microsoft Azure MFA Cloud Servicein Citrix ADC Version 12
To complete my previous article, I also directly implemented and tested Microsoft
Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for
implementation. For more information on MFA and the di�erences between Local
and Cloud, please read my previous post.
It is important that all my information has the status of March 2019 and since it is
the cloud, it will soon be obsolete again.
Table of Contents
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 2/13
Microsoft Azure MFA Server in Citrix ADC Version 12Table of Contents Multi-Factor AuthenticationMicrosoft Azure MFAMulti-factor authenticationfor Office 365 / Microsoft 365 BusinessMulti-Factor Authentication for Azure ADadministratorsAzure Multi-Factor AuthenticationMicrosoft Azure MFA Local or Cloud?Sequenceof a Microsoft Azure MFA AuthenticationSet up MFA server as a secondfactorRequirementsAzure PortalMFA-ServerCitrix ADC Update: As of July 1, 2019, Microsoft willno longer offer MFA Server … Continue reading
0 Deyda.net
Sequence of a Microsoft Azure MFA CloudAuthentication
1. The user calls the Uni�ed Gateway page via URL (e.g., https://citrix.deyda.net)
& enters his credentials (username & password)
2. The credentials are forwarded to the local NPS (Network Policy Server) via the
Citrix ADC (RADIUS Request)
3. The Network Policy Server passes the credentials to the Active Directory
Controller (AD Proxy)
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 3/13
4. After successful veri�cation, a con�rmation is sent to the NPS
5. The NPS is requesting the second factor through the NPS Extension for Azure
MFA in the Multi-Factor Authentication Service (Azure MFA Service)
6. Via push noti�cation, the second factor is transmitted to the mobile phone via
the preferred method (MFA app, call or SMS)
7. Con�rmation of the second factor on the mobile device by the user
8. The Azure MFA service passes the con�rmation of the second factor via the
NPS extension to the local NPS
9. The local Network Policy Server passes the acknowledgment to the Citrix ADC
(RADIUS Response)
10. The user is authenticated and gets access to the resources
Set up MFA cloud service as a second factor
In my guide, I assume a two-factor authentication in the Uni�ed Gateway. The
Citrix ADC (formerly NetScaler) version 12 uses the Cloud MFA service for this
purpose.
Requirements
I assume the following things and do not go into detail about them:
Citrix ADC with successful base con�guration
Internal and external DNS entries for Uni�ed Gateway vServer (e.g.,
citrix.deyda.net)
Certi�cates for the DNS entry
Con�gured Uni�ed Gateway vServer
Existing Azure subscription with base con�guration
Enabled Azure Active Directory Premium License
Installed Authenticator App on Test User Mobile Phone
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 4/13
Microsoft/O�ce 365 Admin Center
First, we sign up with an administrative account in O�ce 365 Portal
(https://portal.o�ce.com) and click on Admin to get into the Admin Center.
In the Admin Center Navigation Panel, click Users> Active Users
In the following view, click on the user to be con�gured
Click Manage Multi-Level Authentication in the user’s pop-up menu
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 5/13
In the new window, select and open the user to be con�gured again
Then use Quick Steps to Activate the user for MFA
In the following window click on multi-factor auth activate
Network Policy Server
Now, switch to the internal server that will later serve as Network Policy Server to
install and con�gure the required role and programs.
To do this, start the Server-Manager and click on Add roles and features
In the following window click through to the selection of the server roles, there
select the role Network Policy and Access Services and click on Next
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 6/13
In the following window click on Add Features and start the installation via
Install
Now download the NPS Extension for Azure MFA and install / con�gure the local
environment.
You go to the following link and download the NPS Extension for Azure MFA
After the download you start the installer and click on Install
Now you open a PowerShell session as administrator
Navigate to the path C:\Program Files\Microsoft\AzureMfa\Con�g and start
the following command
.\AzureMfaNpsExtnConfigSetup.ps1
Then you have to sign in with your administrative O�ce365 / Azure account
For the next step we need the directory ID of the Azure AD. Please keep the
PowerShell window open.
Log in to portal.azure.com and navigate to Azure Active Directory> Properties
Copies the displayed ID under Directory-ID
The Directory-ID copies it into the open PowerShell window and con�rms this
with Enter
The script does the following things:
Creation of a self-signed certi�cate
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 7/13
Allocation of the public key of the certi�cate to the service principal in Azure
AD
Store the certi�cate in the certi�cate store of the local machine
Grant access to the certi�cate’s private key to Network User
Restart NPS services
Now the local Network Policy Server can be con�gured.
Starts the Network Policy Server Console (e.g. via Server Manager > Tools >
Network Policy Server)
Right-click on RADIUS Clients and select New
Here you con�gure the communication with the Citrix ADC as follows:
Enable this RADIUS client (Selected)
Friendly name (e.g. CitrixADC-NSIP)
Address (NSIP of the Citrix ADC, e.g. 10.0.0.7)
Shared secret (Freely selectable, but must be saved, e.g. 191211)
Con�rm shared secret (Again, the previously selected, e.g. 191211)
Con�rm entry with OK
Now right-click Remote RADIUS Server and click New
In the following window, enter a name for your ADC group (Group name) and
click Add
Here you con�gure the communication with the local AD as follows
Server (FQDN or IP of the local ADC)
Click on the tab Authentication/Accounting
Authentication port (1812)
Shared secret (Above selected Shared secret, e.g. 191211)
Con�rm shared secret (as above, e.g. 191211)
Now click on the tab Load Balancing
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 8/13
Number of seconds without response before request is considered dropped
(Important to set this up, so that the user has enough time to con�rm the
second factor (MFA app, call or SMS), e.g. 60)
Number of seconds between requests when server is identi�ed as
unavailable (Important as above, e.g. 60)
Con�rm the entry with OK
Now right-click Policies > Connection Request Policies and select New
In the following window you de�ne the communication to the Citrix ADC
Policy name (e.g. MFA Server Citrix ADC NSIP No Forward)
Policy enabled (Selected)
Click on the tab Conditions on Add
Client IPv4 Address (NSIP, e.g. 10.0.0.7)
Now click on the tab Settings and there on the menu item Authentication
Methods
Override network policy authentication settings (Selected)
Microsoft Encrypted Authentication version 2 (Selected)
Next select the menu item Authentication
Authentication requests on this server (Selected)
Con�rm the entry with OK
Right click on Policies > Connection Request Policies again and select New
In the following window you de�ne
Policy name (e.g. MFA Server Citrix ADC Request Forward)
Policy enabled (Selected)
Click the tab Conditions and on Add
NAS Identi�er (Freely selectable, but must be saved, e.g. MFA)
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 9/13
Now click on the tab Settings and there on the menu item Authentication
Methods
Override network policy authentication settings (Selected)
Microsoft Encrypted Authentication version 2 (Selected)
Now right-click Policies > Network Policies and select New
Policy name (e.g. NetScaler MFA)
Policy enabled (Selected)
Grant access (Selected)
Click Add on the Conditions tab
NAS Identi�er (Freely selectable, but must be saved and the same as above,
e.g. MFA)
Now click on the tab Constraints and there on the menu item Authentication
Methods
Microsoft Encrypted Authentication version 2 (Selected)
Con�rm the entry with OK
Authentication App
We now log in to O�ce365 (https://portal.o�ce.com) with our test user to
con�gure the Authentication App on the mobile device.
If the test user does not yet have a con�gured second factor, the following
message appears. The con�guration can be started with Next.
In the next window, select the type of the Second Factor (e.g, Mobile App)
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 10/13
To simplify the con�guration, you select to receive noti�cations for
veri�cation and click Next
In the following window, a QR code is displayed, with which the Authentication
App can be con�gured
Open the Authenticator app on your device
Click on the + symbol to add another account
Select Business or School Account in the Accounts window
With the following menu item Scan QR code you can scan the existing QR Code
Now the test user is displayed in the account list
In the browser you can con�rm the con�guration of the MFA service with Next
and Finish
Citrix ADC
Now the Citrix ADC can be set up for multi-factor authentication. To do this, a
RADIUS server is created and bound to the existing Uni�ed Gateway vServer.
In the Citrix ADC Navigation Panel, click System > Authentication > RADIUS
Click on the Servers tab and create a new Authentication Server via Add
Name (e.g. Local-NPS)
IP Address (IP of the NPS)
Port (1812)
Secret Key (Shared Secret de�ned on the NPS, e.g. 191211)
Con�rm Secret Key (Shared Secret)
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 11/13
Click Test Connection to check the data entered and the connection to the
Network Policy Server
Click on More to con�gure the further options
Time-out (Set this to 120 seconds for Phone Call or SMS)
NAS ID (Con�gured value from NPS, e.g. MFA)
Password Encoding (mschapv2)
Accounting (OFF)
Authentication Server Retry (3)
Authentication (Selected)
Save the con�guration with Create
Click on the Policy tab and click Add to create a new RADIUS policy
Name (e.g. radius_mfa_cloud_pol)
Server (previously created RADIUS server, e.g. Local-NPS)
Expression (ns_true)
Click Create to save the con�guration
Now select the previously con�gured Uni�ed Gateway vServer
Under Basic Authentication click on the + symbol
Under Choose Type con�gures the following
Choose Policy (RADIUS)
Choose Type (Primary)
Con�rm the entry with Continue
In the following window under Select Policy, select the previously created
RADIUS Policy (radius_mfa_cloud_pol)
Con�rms the entry with Bind
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 12/13
2 thoughts on “Microsoft Azure MFA Cloud Service inCitrix ADC Version 12”
Sascha Friedl
July 8, 2019 at 16:05
Hi,
at �rst: Thanks for this creat articel. It helps aus very much to have the Service up
and running very soon. Do you have any best practices for have to NPS Server
(Failover) with Netscaler HA (active/passive)
After saving the change, you can log in to the gateway and receive a message on
the mobile device (mobile app, call or SMS) after entering the credentials.
Troubleshooting
To give the users access to his MFA settings afterwards, pass on the following
address:
https://aka.ms/mfasetup
Here the user can edit his existing settings (phone number, Authenticator App,
etc.) or delete the connection to con�gured Authenticator Apps.
Manuel Winkel March 20, 2019 ADC, Azure, Citrix, Microsoft, Of�ce365 Authenticator,Azure AD, Citrix, Citrix ADC, Citrix Gateway, MFA, Microsoft, Microsoft Azure MFA, Multi-Factor-Authentication, NetScaler, NetScaler Gateway, Of�ce365, Uni�ed Gateway
/ / /
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy
25/07/2019 Microsoft Azure MFA Cloud Service in Citrix ADC Version 12 – Deyda.net
deyda.net/index.php/en/2019/03/20/microsoft-azure-mfa-cloud-service-in-citrix-adc-version-12-2/ 13/13
Manuel Winkel
July 8, 2019 at 16:11
Simply deploy multiple instances of NPS in the environment with the same
con�guration (by exporting the con�guration from the master and import to
the others) and deploying a load balancer to front the multiple NPS instances.
Deyda.net Data Protection Declaration Proudly powered by WordPress
/ /
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To �nd out more, including how to control cookies, see here: Cookie Policy