Configure Adaptive Authentication service
The following high-level steps are involved in configuring the Adaptive Authentication service.
- Provision Adaptive Authentication
- Configure Adaptive Authentication policies
- Enable Adaptive Authentication for Workspace
- Reserve an FQDN for your Adaptive Authentication instance. For example,
xyz.comis your company domain. This FQDN is referred as the Adaptive Authentication service FQDN in this document and is used when provisioning the instance. Map the FQDN with the IdP virtual server public IP address. This IP address is obtained after provisioning in the Upload Certificate step.
Procure a certificate for aauth.xyz.com. Certificates must contain the SAN attribute. Else the certificates are not accepted.
Adaptive Authentication UI does not support uploading of certificate bundles. To link an intermediate certificate, see Configure intermediate certificates.
Choose your connectivity type for the on-premises AD/RADIUS connectivity. The following two options are available. If you do not want data center reachability, use the connector connectivity type.
- Citrix Cloud Connector - For details, see Citrix Cloud Connector.
- Azure VNet peering - For details, see Set up connectivity to on-premises authentication servers using Azure VNet peering.
- Configure network time protocol (NTP) server to avoid time skews. For details, see How to synchronize system clock with servers on the network.
Points to note
- Citrix recommends not to run clear config for any Adaptive Authentication instance or modify any configuration with the prefix
AA(example, AAuthAutoConfig) including certificates. This disrupts Adaptive Authentication management and user access is impacted. The only way to recover is through reprovisioning.
- Do not add SNIP or any additional routes on the Adaptive Authentication instance.
- User authentication fails if the customer ID is not in all lowercase. You can convert your ID to all lowercase and set it on the ADC instance by using the command
set cloud parameter -customerID <all_lowercase_customerid>.
- The nFactor configuration that is required for the Citrix Workspace or the Citrix Secure Private Access service is the only configuration customers are supposed to create directly on the instances. Currently there are no checks or warnings in NetScaler that prevents admins from making these changes.
- Do not upgrade the Adaptive Authentication instances to random RTM builds. All upgrades are managed by Citrix Cloud.
- Only Windows based cloud connector is supported. Connector appliance is not supported in this release.
- If you are an existing Citrix Cloud customer and have already configured Azure AD (or other authentication methods), to switch to Adaptive Authentication (for example, device posture check), you must configure Adaptive Authentication as your authentication method and configure the authentication policies in the Adaptive Authentication instance. For details, see Connect Citrix Cloud to Azure AD.
- For RADIUS server deployment, add all connector private IP addresses as the RADIUS clients in the RADIUS server.
- In the current release, the external ADM agent is not allowed and therefore Citrix Analytics (CAS) is not supported.
- Citrix Application Delivery Management service collects the backup for your Adaptive Authentication instance. To extract the backup from ADM, onboard the ADM service. For details, see Config backup and restore. Citrix does not take the backups explicitly from the Adaptive Authentication service. Customers must take the backup of their configurations from the Application Delivery Management service if necessary.
How to configure the Adaptive Authentication service
You can access the Adaptive Authentication user interface by one of the following methods.
- Manually type the URL https://adaptive-authentication.cloud.com.
Log in using your credentials and select a customer.
After you are successfully authenticated, you are redirected to the Adaptive Authentication user interface.
- Navigate to Citrix Cloud > Identity and Access Management.
- In the Authentication tab, in Adaptive Authentication, click the ellipsis menu and select Manage.
The Adaptive Authentication user interface appears.
The following figure illustrates the steps involved in configuring Adaptive Authentication.
Step 1: Provision Adaptive Authentication
Customers interested in Adaptive Authentication service are required to click the link as shown in the following screenshot and complete the Podio form. The Citrix Adaptive Authentication team then enables provisioning of Adaptive Authentication instances.
Perform the following steps to provision the Adaptive Authentication instance:
- On the Adaptive Authentication UI, click Provision.
Select the preferred connection for Adaptive Authentication.
Citrix Cloud Connector: For this connection type, you must set up a connector in your on-premises network. Citrix recommends that you deploy at least two Citrix Cloud Connectors in your environment to set up connection to the Citrix Gateway hosted on Azure. You must allow your Citrix Cloud Connector to access the domain/URL you have reserved for the Adaptive Authentication instance. For example, allow https://aauth.xyz.com/*.
For details on Citrix Cloud Connector, see Citrix Cloud Connector.
Azure VNet peering - You must set up the connectivity between the servers using Azure’s VNet peering.
- Ensure that you have an Azure subscription account to set up the connectivity.
- The customer VNet that is being peered must already have an Azure VPN gateway provisioned. For details, see https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal.
To add a Citrix Cloud Connector as your preferred connection:
Perform the following steps.
- Select the Citrix Cloud Connector option, and then select the end user agreement check box.
- Click Provision. Provisioning might take up to 30 minutes to set up.
For connector connectivity type, make sure that your Adaptive Authentication FQDN is reachable from the connector virtual machine after provisioning.
To set up Azure VNet peering:
If you select Azure VNet peering as your connection, you must add a subnet CIDR block that must be used to provision the Adaptive Authentication instance. You must also ensure that the CIDR block does not overlap with your organization’s other network ranges.
Set up credentials to access the instances that you have enabled for Adaptive Authentication. You need the management console access for creating policies for authentication, conditional access, and so on.
- In the Console access screen, enter the user name and password.
- Click Next.
Users created from the Console access screen are provided with “SuperUser” privileges that have the shell access.
Add the Adaptive Authentication service FQDN and upload the certificate-key pair. You must enter the Adaptive Authentication service FQDN of your choice for the publicly accessible authentication server. This FQDN must be publicly resolvable.
- In the Upload Certificate screen, enter the FQDN that you have reserved for Adaptive Authentication.
Select the certificate type.
- Adaptive Authentication service supports certificates of type PFX, PEM, DER for provisioning of instances.
- Certificate bundle is only supported for certificate of type PEM. For other bundle types, Citrix recommends installing the root and intermediate certificates and linking them to server certificate.
- Upload the certificate and the key.
Install your intermediate certificate on the Adaptive Authentication instance and link it with the server certificate.
- Log in to the Adaptive Authentication instance.
- Navigate to Traffic Management > SSL. For details, see Configure intermediate certificates.
- Only public certificates are accepted. Certificates signed by private or unknown CAs are not accepted.
- Certificate configuration or certificate updates must be done using the Adaptive Authentication UI only. Do not change it directly on the instance as this might result in inconsistencies.
Upload the certificate and the key.
The Adaptive Authentication instance now is connected to the Identity and Access Management service. The Adaptive Authentication method status is displayed as Connected.
- Set up an IP addresses through which the Adaptive Authentication management console can be accessed.
- In the Allowed IP addresses screen, for each instance, enter a public IP address as the management IP address. To restrict the access to the management IP address, you can add multiple IP addresses that are allowed to access the management console.
- To add multiple IP addresses, you must click Add, enter the IP address, and then click Done. This must be done for every IP address. If you do not click the Done button, the IP addresses are not added to the database but are only added in the user interface.
If you are using the connector connectivity type, then specify a set of resource locations (connectors) through which AD or RADIUS servers can be reached. If you are using the VNet peering connectivity type, then you can skip this step.
Admins can choose the connectors through which back-end AD and RADIUS servers must be reached. To enable this feature, customers can set up a mapping between their back-end AD/RADIUS server subnets such that if the authentication traffic falls under a specific subnet, then that traffic is directed to the specific resource location. However, If a resource location is not mapped to a subnet, then admins can specify to use the wildcard resource location for those subnets.
Previously, Adaptive Authentication traffic for on-premises AD/RADIUS was directed to any available resource location using the round robin method. This caused issues for customers with multiple resource locations.
- On the Adaptive Authentication UI, click Manage Connectivity.
Enter the subnet details and select the respective resource location.
If you clear the Use any available resource location for remaining subnets check box, only the traffic directed towards the configured subnets is tunneled.
- Click Add, and then click Save Changes.
- Only RFC1918 IP address subnets are allowed.
- The number of subnet-resource location mapping per customer is limited to 10.
- Multiple subnets can be mapped to a single resource location.
- Duplicate entries are not allowed for the same subnet.
- To update the subnet entry, delete the existing entry and then update.
- If you rename or remove the resource location, make sure to remove the entry from the Manage Connectivity screen in the Adaptive Authentication user interface.
- Any changes made to the resource location mapping by using the following CLI commands are overwritten by the changes pushed from the user interface (Adaptive Authentication Provisioning > Manage Connectivity).
set cloudtunnel parameter -subnetResourceLocationMappings
set policy expression aauth_allow_rfc1918_subnets <>
set policy expression aauth_listen_policy_exp <>
Provisioning Adaptive Authentication is now complete.
Step 2: Configure Adaptive Authentication policies
How to connect to your Adaptive Authentication instance:
After the provisioning, you can access the Adaptive Authentication management IP address directly. You can access the Adaptive Authentication management console using the FQDN or your primary IP address.
- In a high availability setup, as part of the synchronization process, the certificates are also synchronized. So ensure that you use the wildcard certificate.
- If you need unique certificate for each node, upload the certificate files and keys in any folder that doesn’t get synchronized (for example, create a separate folder (nosync_cert) in the nsconfig/SSL directory) and then upload the certificate uniquely on each node.
Access the Adaptive Authentication management console:
- To access the Adaptive Authentication management console using the FQDN, see Configure SSL for ADC Admin UI access.
- To access the Adaptive Authentication using your primary address, do the following:
- Copy the primary IP address from the Configure Authentication policies section in the GUI and access the IP address in your browser.
- Log in using the credentials that you have entered while provisioning.
- Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.
- Add the authentication policies. For various use cases, see Sample authentication configurations.
Accessing the Adaptive Authentication instance using the IP address is not trusted and many browsers block the access with warnings. We recommend that you access the Adaptive Authentication management console with FQDN to avoid any security barriers. You must reserve the FQDN for the Adaptive Authentication management console and map it with the primary and secondary management IP address.
For example, if your AA instance IP is 192.0.2.0 and Secondary: 220.127.116.11, then;
- primary.domain.com can be mapped to 192.0.2.0
- secondary.domain.com can be mapped to 18.104.22.168
Step 3: Enable Adaptive Authentication for Workspace
After provisioning is complete, you can enable authentication for Workspace by clicking Enable in the Enable Adaptive Authentication for Workspace section.
With this, the Adaptive Authentication configuration is completed. When you access your workspace URL, you must be redirected to the Adaptive Authentication FQDN.
- Edit an FQDN
- Schedule upgrade of your Adaptive Authentication instances
- Deprovision your Adaptive Authentication instances
- Enable secure access to the gateway
- Set up connectivity to on-premises authentication servers using Azure VNet peering
- Custom workspace URL or vanity URL
- Config backup and restore
- Sample load balanced LDAPS configuration
- Migrate your authentication method to Adaptive Authentication
- Sample authentication configurations