Citrix ADC

Forms based authentication

With Forms based authentication, a logon form is presented to the end-user. This type of authentication form supports both multifactor (nFactor) authentication and Classic authentication.

Forms based AAA-TM

Ensure the following for the Forms based authentication to work:

  • The load balancing virtual server must have authentication turned ON.

  • ‘authenticationHost’ parameter must be specified to which the user must be redirected for authentication. The command for configuring the same is as follows:

     set lb vs lb1 -authentication on –authenticationhost aaavs-ip/fqdn
    
  • Form based authentication is compatible with browser that supports HTML

The following steps walk through how the Forms based authentication works:

  1. The client (browser) sends a GET request for a URL on the TM (load balancing/CS) virtual server.

  2. The TM virtual server determines that the client has not been authenticated, and sends an HTTP 302 response to the client. The response contains a hidden script that causes the client to issue a GET request for /cgi/tm to the authentication virtual server.
  3. The client sends GET /cgi/tm containing the target URL to the authentication virtual server.
  4. The authentication virtual server sends out a redirect to the login page.
  5. The user sends out its credentials to the authentication virtual server with a POST /doAuthentication.do. Authentication is done by the authentication virtual server.
  6. If the credentials are correct, the authentication virtual server sends an HTTP 302 response to the cgi/selfauth url on the load balancing server with a one time token (OTP).
  7. The load balancing server sends HTTP 302 to the client.
  8. The client sends a GET request for their initial URL target URL along with a 32 byte cookie.

    Forms based AAA-TM flow diagram

Forms based authentication