Product Documentation

Choosing Your Authentication Method

Oct 20, 2015

Before you install XenMobile components, you need to determine what authentication types you use to authenticate users. XenMobile supports several authentication types. It is important to choose the authentication method you want to configure before you deploy XenMobile; if you implement an authentication method for users and then change the method after users enroll or you implement Worx PIN, they will need to enroll again.

XenMobile supports the following authentication types:

  • Active Directory or LDAP
  • Client certificate
  • Worx PIN
  • Two-factor authentication

You can configure the following authentication types for two-factor authentication:

  • Active Directory and Worx PIN
  • Active Directory and client certificate authentication

XenMobile 8.6 introduces support for client certificate authentication. Users can now authenticate their devices seamlessly to XenMobile using client certificates, giving administrators the choice of authenticating their users using Active Directory credentials or client certificates. By using client certificates, users will only need to use their own chosen PIN number to log on with single sign-on (SSO) to any of the Worx-enabled apps.

Worx PIN also simplifies the user authentication experience. Worx PIN is used to secure a client certificate or save Active Directory credentials locally on the device. If you configure Worx PIN settings in App Controller, when users start Worx Home for the first time, they receive a prompt to enter a PIN, which caches the Active Directory credentials. When users subsequently start Worx Home, WorxMail, or WorxWeb, they enter the PIN and log on. This simplifies the logon process on the mobile device. For more information about configure Worx PIN, see Configuring Worx PIN Options.

Citrix recommends using two-factor authentication for the highest security and recommends that you combine Worx PIN with Active Directory and client certificate authentication, which allows for the security of two-factor authentication while maintaining a streamlined user experience. For instructions on how to configure client certificate authentication in XenMobile, see

The XenMobile architecture supports the following authentication combinations:

  • Domain only (Worx PIN supported)
  • Security token only
  • Domain and security token (Worx PIN supported)
  • Client certificate only
  • Client certificate and domain (Worx PIN supported)
  • Client certificate and security token