Citrix Endpoint Management

Domain or domain plus security token authentication

Citrix Endpoint Management supports domain-based authentication against one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). You configure a connection in Citrix Endpoint Management to one or more directories. Citrix Endpoint Management uses the LDAP configuration to import groups, user accounts, and related properties.


Citrix Endpoint Management doesn’t support changing the authentication mode from one type of authentication mode to a different authentication mode after users enroll devices in Citrix Endpoint Management. For example, you can’t change the authentication mode from Domain authentication to Domain + Certificate after users have enrolled.

About LDAP

LDAP is an open-source, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory information services are used to share information about users, systems, networks, services, and applications available throughout the network.

A common usage of LDAP is to provide single sign-on (SSO) for users, where a single password (per user) is shared among multiple services. Single sign-on enables a user to log on one time to a company website, for authenticated access to the corporate intranet.

A client starts an LDAP session by connecting to an LDAP server, known as a Directory System Agent (DSA). The client then sends an operation request to the server, and the server responds with the appropriate authentication.

To add or edit LDAP connections in Citrix Endpoint Management

You typically configure LDAP connections when you onboard to Citrix Endpoint Management, as described in To configure LDAP. If you onboarded before the screens shown in that section were available, use the information in this section to add LDAP connections.

  1. In the Citrix Endpoint Management console, go to Settings > LDAP.

  2. Under Server, click LDAP. The LDAP page appears.

    LDAP configuration screen

  3. On the LDAP page, click Add or Edit. The Add LDAP or Edit LDAP page appears.

    LDAP configuration screen

  4. Configure these settings:

    • Directory type: In the list, click the appropriate directory type. The default is Microsoft Active Directory.
    • Primary server: Type the primary server used for LDAP; you can enter either the IP address or the fully qualified domain name (FQDN).
    • Secondary server: Optionally, if a secondary server has been configured, enter the IP address or FQDN for the secondary server. This server is a failover server used if the primary server cannot be reached.
    • Port: Type the port number used by the LDAP server. By default, the port number is set to 389 for unsecured LDAP connections. Use port number 636 for secure LDAP connections, use 3268 for Microsoft unsecure LDAP connections, or 3269 for Microsoft secure LDAP connections.
    • Domain name: Type the domain name.
    • User base DN: Type the location of users in Active Directory through a unique identifier. Syntax examples include: ou=users, dc=example, or dc=com.
    • Group base DN: Type the location of groups in Active Directory. For example, cn=users, dc=domain, dc=net where cn=users represents the container name of the groups and dc represents the domain component of Active Directory.
    • User ID: Type the user ID associated with the Active Directory account.
    • Password: Type the password associated with the user.
    • Domain alias: Type an alias for the domain name. If you change the Domain alias setting after enrollment, users must re-enroll.
    • Citrix Endpoint Management Lockout Limit: Type a number between 0 and 999 for the number of failed logon attempts. A value of 0 means that Citrix Endpoint Management never locks out the user based on failed logon attempts. The default is 0.

      Consider setting this lockout limit to a lower value than your LDAP lockout policy. Doing so helps prevent user lockouts if Citrix Endpoint Management is unable to authenticate to the LDAP server. For example, if the LDAP lockout policy is 5 attempts, configure this lockout limit to 4 or lower.

    • Citrix Endpoint Management Lockout Time: Type a number between 0 and 99999 representing the number of minutes a user must wait after exceeding the lockout limit. A value of 0 means that the user isn’t forced to wait after a lockout. The default is 1.
    • Global Catalog TCP Port: Type the TCP port number for the Global Catalog server. By default, the TCP port number is set to 3268; for SSL connections, use port number 3269.
    • Global Catalog Root Context: Optionally, type the Global Root Context value used to enable a global catalog search in Active Directory. This search is in addition to the standard LDAP search, in any domain without the need to specify the actual domain name.
    • User search by: Select the format of user name or user ID that Citrix Endpoint Management uses to search for users in this directory. Users enter their user name or user ID in this format when enrolling. If you change the User search by setting after enrollment, users must re-enroll.

      If you choose userPrincipalName, users enter a user principal name (UPN) in this format:

      • username@domain

      If you choose sAMAccountName, users enter a secure account manager (SAM) name in one of these formats:

      • username@domain
      • domain\username
    • Use secure connection: Select whether to use secure connections. The default is NO.
  5. Click Save.

To delete an LDAP-compliant directory

  1. In the LDAP table, select the directory you want to delete.

    You can select more than one property to delete by selecting the check box next to each property.

  2. Click Delete. A confirmation dialog box appears. Click Delete again.

Configure domain plus security token authentication

You can configure Citrix Endpoint Management to require users to authenticate with their LDAP credentials plus a one-time password, using the RADIUS protocol.

For optimal usability, you can combine this configuration with Citrix PIN and Active Directory password caching. With that configuration, users don’t have to enter their LDAP user names and passwords repeatedly. Users enter user names and passwords for enrollment, password expiration, and account lockout.

Configure LDAP settings

Use of LDAP for authentication requires that you install an SSL certificate from a Certificate Authority on Citrix Endpoint Management. For information, see Upload certificates.

  1. In Settings, click LDAP.

  2. Select Microsoft Active Directory and then click Edit.

    LDAP configuration screen

  3. Verify that the Port is 636, which is for secure LDAP connections, or 3269 for Microsoft secure LDAP connections.

  4. Change Use secure connection to Yes.

    LDAP configuration screen

Configure Citrix Gateway settings

The following steps assume that you already have added a Citrix Gateway instance to Citrix Endpoint Management. To add a Citrix Gateway instance, see Citrix Gateway and Citrix Endpoint Management.

  1. In Settings, click Citrix Gateway.

  2. Select the Citrix Gateway and then click Edit.

  3. From Logon Type, select Domain and security token.

Enable Citrix PIN and user password caching

To enable Citrix PIN and user password caching, go to Settings > Client Properties and select these check boxes: Enable Citrix PIN Authentication and Enable User Password Caching. For more information, see Client properties.

Configure Citrix Gateway for domain and security token authentication

Configure Citrix Gateway session profiles and policies for your virtual servers used with Citrix Endpoint Management. For information, see the Citrix Gateway documentation.

Domain or domain plus security token authentication