Configure certificate authentication as first factor and LDAP as second factor in Citrix ADC nFactor authentication

The following section describes the use case of certificate authentication in the first factor followed by LDAP in the second factor. Else, the LDAP and OTP, if a user certificate is not present in the first factor.

Use Case: Certificate authentication in first factor followed by LDAP in next factor

Assume a use case where, admins configure certificate authentication in the first factor. And if the certificate is present, then configure LDAP authentication in next factor. If the user certificate is not present, configure LDAP and OTP.

  1. Once you access the traffic management virtual server, you are redirected to the login page.

  2. If the user certificate is present in the client device, you are displayed with the following screen.

    User certificate

  3. After the user certificate is submitted, authentication proceeds to next factor. This factor is configured as LDAP.

    User certificate

  4. If a user certificate is not present in the first factor, then proceed to LDAP and OTP. You have two options to achieve.

    • LDAP and OTP as separate login pages with user name prefilled from LDAP factor.

      User certificate

      The user name value is prefilled using the expression ${}, which extracts the user name from the first factor. Other fields such as, labels for user name and password can also be customized.

    • Dual authentication page containing two password fields. The example used for this specific representation is displayed.

      User certificate


The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer LDAP and OTP

Perform the following by using the CLI

  1. Configure authentication virtual server.

    • add lb vserver lbvs1 HTTP 80 -AuthenticationHost -Authentication ON
    • bind ssl vserver auth_vserver -certkeyName gateway.angiras.lab
  2. Bind the root certificate to the virtual server and enable Client Auth.

    • bind ssl vserver auth_vserver -certkeyName Root_Cert -CA -ocspCheck Optional
    • set ssl vserver auth_vserver -clientAuth ENABLED -clientCert Optional
  3. Configure authentication action and policies.

    • LDAP authentication
      • add authentication ldapAction LDAP_Action -serverIP XX.XX.XX.XX -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 97526a31c6e2e380f7b3a7e5aa53dc498c5b25e9b84e856b438b1c61624b5aad -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
      • add authentication Policy LDAP_Pol -rule true -action LDAP_Action
    • Device management
      • add authentication ldapAction OTP_manage_Act -serverIP XX.XX.XX.XX -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 3e10c1df11a9cab239cff2c9305743da76068600a0c4359603abde04f28676ae -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters
      • add authentication Policy manage_OTP -rule TRUE -action OTP_manage_Act
    • OTP validation
      • add authentication ldapAction LDAP_OTP_Act -serverIP XX.XX.XX.XX -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword e79a8ebf93fdb7e7438f44c076350c6ec9ad1269ef0528d55640c7c86d3490dc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters
      • add authentication Policy OTP_Pol -rule true -action LDAP_OTP_Act
    • Certificate authentication
      • add authentication certAction Certificate_Profile -twoFactor ON -userNameField SubjectAltName:PrincipalName
      • add authentication policy Cert_Pol -rule true -action Certificate_Profile
    • Policy without authentication for dual authentication when a certificate authentication fails or certificate does not exist.
      • add authentication Policy Cert_Pol_NOAUTH_ -rule true -action NO_AUTHN
  4. Configure policy label and schema for the second factor.

    • Device management
      • add authentication policylabel manage_otp_label -loginSchema LSCHEMA_INT
      • bind authentication policylabel manage_otp_label -policyName manage_OTP -priority 100 -gotoPriorityExpression END
    • LDAP authentication after successful certificate authentication
      • add authentication loginSchema lschema_LDAP_Only -authenticationSchema "/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml"
      • add authentication policylabel LDAP_Only -loginSchema lschema_LDAP_Only
      • bind authentication policylabel LDAP_Only -policyName LDAP_Pol -priority 100 -gotoPriorityExpression END
    • Dual authentication when certification is not present or certificate authentication fails
      • add authentication loginSchema lschema_dual_auth -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"
      • add authentication policylabel Dual_Auth_Label -loginSchema lschema_dual_auth
      • bind authentication policylabel Dual_Auth_Label -policyName LDAP_Pol -priority 100 -gotoPriorityExpression END
      • bind authentication policylabel Dual_Auth_Label -policyName OTP_Pol -priority 110 -gotoPriorityExpression END
  5. Bind the policies created in the preceding steps.

    • bind authentication vserver auth_vserver -policy Manage_OTP -priority 100 -nextFactor manage_otp_label -gotoPriorityExpression NEXT
    • bind authentication vserver auth_vserver -policy Cert_Pol -priority 110 -nextFactor LDAP_Only -gotoPriorityExpression NEXT
    • bind authentication vserver auth_vserver -policy Cert_Pol_NOAUTH_ -priority 120 -nextFactor Dual_Auth_Label -gotoPriorityExpression NEXT

Configuring by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flows and click Add.

  2. Click + to add the nFactor flow.

    Add a flow

  3. Add a factor. The name that you enter is the name of the nFactor flow. Click Create.

    Add a name for the flow

  4. Schema is needed in the first factor as you bind policies that do not need a schema.

  5. Click Add Policy to add the first factor authentication policy. You can create an authentication policy or select an existing authentication policy from the list.

    Add local policy

  6. Add a policy for registration check. Action in this case would be NO_AUTHN.

  7. In the Expression Field, type HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) and click Create.

    Expression field

  8. Click Add Policy to create a policy. Click Create and click Add.

    Register policy

  9. Click green + to add the next factor for LDAP authentication before managing the devices.

  10. Select Create Factor and type in a name for this factor and click Create.

    Register policy

  11. Click Add Schema and then add to create a schema to manage devices.

    Register schema

  12. Choose the schema that is created in preceding and click Add to create it.

    Add LDAP auth policy

  13. Click Add Policy and select LDAP Authentication Policy for initial LDAP authentication.


    For more information, see To configure LDAP authentication by using the configuration utility.

  14. Follow steps 9 and 10 to create another factor to register the device.

  15. No schema is needed in this factor. Click Add Policy to add the policy for device registration. (Policy created in CLI Configuration step 4 point b).

  16. Create another factor following step 9 and 10 to test the registered devices.

  17. Click Add Policy to add Authentication Policy (Policy created in CLI Configuration step 4 point c).

    Add LDAP auth policy

  18. Click green + under the Registration Policy to add a Policy for certificate authentication.

    Add LDAP auth policy

  19. Click Add to add the Cert Policy.

    Add LDAP auth policy


    For more information on client certificate authentication, see How Do I Enable SSL Client Certificate Authentication on NetScaler.

  20. Click green sign next to the Cert Policy to create next factor for LDAP authentication.

    Add LDAP factor

  21. Click Add Schema to add the login schema for prefilled user name, single authentication.

    Add LDAP auth policy

  22. Choose the schema created and click OK.

    Choose LDAP schema

  23. Click Add Policy and add LDAP authentication.

    LDAP policy

  24. Click red + next to Certificate Policy to add the next factor for the failure case. The failure case is for when the certificate authentication fails or if there is no certificate on the device.

  25. Select Create Factor and type a Factor Name.

    LDAP OTP factor

  26. Click Add Schema to add a dual authentication schema.

    dual auth schema

  27. Choose the created schema and click OK.

    schema dual auth

  28. Click Add Policy and add LDAP authentication.

    LDAP policy

  29. Select the authentication policy to validate OTP and click OK

    LDAP policy

  30. Click Done to save the configuration.

  31. Select the nFactor Flow created and bind it to an authentication, authorization, and auditing virtual server. Click Bind to Authentication Server and Click Create.

    LDAP policy


    You can bind and unbind the nFactor using the nFactor Flows page through Show Bindings option only.

Unbind the nFactor flow

  1. On the nFactor Flows page, click Show Bindings from the hamburger icon.

  2. On the Authentication Server Bindings page, select the authentication server to unbind and click Unbind. Click Close.

    LDAP policy